RACI matrix for ISO 27001 implementation project

Very often, an ISO 27001 implementation project is a multi-level and multidisciplinary endeavor, where personnel involved have different roles and responsibilities as the project progresses.

To help clarify and control personnel involvement, many projects make use of the RACI matrix, and in this article, we’ll show one example of how to apply it to an ISO 27001 implementation project.

RACI matrix basic concepts

RACI is a form of responsibility assignment presentation, and is named after the four most common responsibilities used: Responsible, Accountable, Consulted, and Informed.

• Responsible: Refers to those who do the work to complete the task.
• Accountable: Designates the person who ultimately answer for the results of an activity, and also who delegates the work to the people who will execute it.
• Consulted: Refers to those who sought be heard on the related activity, and with whom there is two-way communication.
• Informed: Designates those who sought to be kept up-to-date on the progress of the activity, and with whom there is just one-way communication.

In some situations, the same role that is accountable for an activity may also be responsible for its execution.

RACI matrix for ISO 27001 project implementation

Considering the previous definitions, the following table presents a suggestion for a RACI matrix covering general activities related to an ISO 27001 implementation project and the roles involved. For more information about the listed activities, please read this ISO 27001 implementation checklist.

It is important to note that the matrix was developed assuming that the project already has top management buy-in. Obtaining the management buy-in is critical to the success of the project, but in terms of the RACI matrix, this activity would only add unnecessary complexity. Obtaining management approval is only done once before the project planning and execution start, and this activity can be defined within (Read more...)