Roles, Responsibilities, and Authorities
Document ID: DPWAT-ISMS-GOV-003
Version: 1.0
Owner: ISMS Manager / CISO (RMSI) — Timo Andreas Bejan
Approved by: Administrator (ADM) — Anna Boros
Effective date: 2025-08-18
Next review: 12 months after effective date (or on major change)
1. Roles (definitions)
- Administrator (ADM): Top-management role responsible for approving ISMS resources and major decisions.
- ISMS Manager / CISO (RMSI): Responsible for coordinating information security governance, risk, incidents, training, reviews.
- Process Owner (RA): Owner of a process/activity; ensures controls are implemented for that process. Given company size, the CISO often serves as Process Owner for most ISMS processes.
Note: Given DP WAT's small team (~7 people, 2 Administrators + 5 employees), governance and risk discussions happen informally between the CISO and Administrator(s) rather than through a formal committee structure.
2. Mandatory appointments
- Administrator(s): Anna Boros; Timo Andreas Bejan
- ISMS Manager / CISO: Timo Andreas Bejan
- Deputy / backup for CISO: Anna Boros (Administrator)
3. Responsibility overview (minimum)
| Activity | Responsible | Accountable | Consulted | Informed |
|---|---|---|---|---|
| Maintain ISMS documents | CISO | ADM | ADM | All personnel |
| Risk assessment & treatment plan | CISO | ADM | Process Owners | All relevant |
| Approve risk acceptance (residual) | CISO | ADM | ADM | Process Owners |
| Access provisioning/removal | Administrator | CISO | Process Owner | Requestor |
| Supplier onboarding & review | Process Owner | CISO | ADM | All relevant |
| Incident coordination | CISO | ADM | Process Owner/Admin | Relevant parties |
| Internal audit program | CISO | ADM | ADM | Process Owners |
| Management review | ADM | ADM | CISO | All personnel |
4. Authority boundaries
- Only Administrators may approve:
- ISMS scope changes
- material risk acceptance (high risks)
- significant supplier onboarding (high risk suppliers)
- major corrective actions requiring budget/resources
- The CISO may:
- request immediate access revocation
- require incident containment actions
- require evidence/records for audits