HomeGuidesGovernance & Leadership › GL-11
GL-11 Governance & Leadership 10% of OML score

Has the business reviewed cybersecurity responsibilities in the last 12 months?

Does your business have an up-to-date list of who is responsible for what in cybersecurity, and have you checked this list in the last 12 months? As your company grows, hires new people, or buys new software, these responsibilities need to change too—this question checks whether you've actually done that review.

Why This Matters to Your Business

When no one knows who owns cybersecurity, breaches happen undetected because nobody feels responsible for watching systems. A textile exporter in Gujarat suffered a data theft of customer payment details because the office manager, the only person with database access, left without handing over her passwords or documenting her role—and nobody knew what she had access to. Without clear responsibilities, you also fail compliance audits (DPDP Act requires you to show who manages personal data), lose customer contracts (large buyers in Germany or US won't work with you without a RACI matrix showing who does what), and struggle to respond to incidents because nobody knows who to call when there's a problem.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You don't have a document listing who does cybersecurity work, and you haven't formally thought about who should own this. When a security problem happens, whoever is closest to the keyboard handles it, or the owner deals with it themselves.

Level 1
Initial

You have a rough list (maybe in someone's head or an old email) of who handles IT and passwords, but it was never formally written down and hasn't been reviewed in over a year. There's no clear distinction between roles like who patches systems, who handles backups, or who investigates incidents.

Level 2
Developing

You have a written document naming the IT person or team and listing their main responsibilities (e.g., 'Rajesh handles servers,' 'Priya manages passwords'), and you reviewed it within the last 12 months. But the document doesn't cover what happens if that person is absent, and it doesn't describe responsibilities by function (like 'who approves access?').

Level 3
Defined

You have a formal document (RACI matrix or roles-and-responsibilities chart) showing who is accountable for major cybersecurity functions (patch management, backup, user access, incident response, compliance). You've reviewed and updated it in the last 12 months, and it names backups for critical roles.

Level 4
Managed

You have a detailed, up-to-date cybersecurity roles document that covers all major functions and includes clear escalation paths (who do you call if the main person is unavailable). You've trained everyone on their responsibilities, documented handover procedures, and reviewed this in the last 12 months.

Level 5
Optimised

Your cybersecurity responsibilities are integrated into formal job descriptions, reviewed annually with all staff, and changes are tracked in a change log. You have succession plans for critical roles, responsibilities are clearly communicated to third-party vendors/contractors, and the document is audited by leadership or external auditors at least annually.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Call a 30-minute meeting with your IT person (or yourself if you do IT) and write down a simple list: who does backups, who resets passwords, who installs updates, who handles customer data, who would know if there's a security problem. Save this as a Word document or Excel sheet. Business owner or office manager 1 day
1 → 2 Expand your rough list into a one-page RACI matrix: rows are cybersecurity tasks (backup, passwords, antivirus, data protection, incident response), columns are people's names. Mark each cell as 'Responsible' (does the work), 'Accountable' (makes decisions), or 'Informed' (needs to know). Share with your IT team and get sign-off. IT lead or HR manager 3-5 days
2 → 3 Convert your matrix into a formal Cybersecurity Roles & Responsibilities document (2-3 pages). Include job titles, key duties, escalation contacts, and who covers if someone is absent. Have the owner or director sign and date it. File one copy physically and one digitally with a 'Last Reviewed' date. IT manager or consultant 2-3 weeks
3 → 4 Conduct a formal review meeting once every 6 months (at least). Invite your IT team, office manager, and a senior manager. Compare current roles against actual day-to-day work. Update the document, document what changed and why, and re-sign it. Create a simple change log. IT manager and business manager 1-2 months of recurring effort
4 → 5 Embed cybersecurity responsibilities into formal job descriptions for all staff who touch IT or data. Link performance reviews to this. Have an external auditor or compliance consultant review your RACI matrix annually. Document decisions and feedback from these reviews. HR manager and compliance officer Ongoing (annual review and update cycle)
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • A signed and dated Cybersecurity Roles & Responsibilities document or RACI matrix showing who owns each major function (backup, patching, password management, incident response, compliance)
  • Evidence of the last review: a meeting minutes, email thread, or signed update showing you reviewed this document within the last 12 months with the date and names of who participated
  • A list of critical role backups: who steps in if your IT person is on leave, sick, or leaves the company
  • Job descriptions for IT staff and data handlers that include cybersecurity duties and the date these were last reviewed
  • A change log or version history showing updates made to roles in the last 12 months, with reasons for changes (e.g., 'Hired second IT technician' or 'Added incident response owner')
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Can you show me your current cybersecurity roles and responsibilities document? When was it last reviewed and updated?"
  • "Who is responsible for [specific task, e.g., 'ensuring patches are applied' or 'responding to a security incident']? What happens if that person is absent?"
  • "How do your staff know what their cybersecurity responsibilities are? Is this documented in job descriptions or training materials?"
  • "Walk me through what changed in your cybersecurity team or responsibilities in the last 12 months. How was that change documented and communicated?"
  • "If there were a data breach tomorrow, who would be accountable to me (the auditor or regulator) for the investigation and notification?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Create and manage a simple RACI matrix or roles chart without buying software Google Sheets (free, cloud-based, easy to share and track changes) or Microsoft Excel template
Document management and version control so you can track who reviewed roles and when Google Drive or OneDrive (free tier, automatic version history) or GitHub (free for private repos if technically comfortable) Confluence (₹1,500–3,000/month) or SharePoint (included with Microsoft 365 business plans)
Organize and store compliance evidence (documents, meeting minutes, sign-offs) Google Drive folder system or OneDrive with shared access controls DocuSafe (₹500–2,000/month) or Zoho Vault (₹500–1,500/month, includes audit logs)
🛡
How This Makes You More Resilient
When you have clear cybersecurity responsibilities, problems are found and fixed faster because everyone knows who to alert. If a system is compromised or data goes missing, you can respond immediately rather than wasting days figuring out who should be doing what. This also means you're not left helpless if your one IT person gets sick or leaves—someone else can step in and keep things running.
⚠️
Common Pitfalls in India
  • Only the IT person knows cybersecurity responsibilities, so when they leave or take leave, nobody else can act. Solution: always have a documented, written backup person named for critical roles.
  • Creating a roles document once and never updating it, even after hiring new staff or adopting new systems. Solution: set a calendar reminder to review every 6 months (tie it to budget reviews or appraisal cycles so it's not an extra task).
  • Assuming roles are 'obvious' and don't need to be written down because everyone knows who does what. Solution: test this by asking three random staff members 'who handles customer data security?' and see if the answers match your document. If they don't, you have a communication problem.
  • Creating roles only in job descriptions but not in a standalone RACI or roles chart, so it's buried and hard to reference in an incident. Solution: create a one-page quick reference guide that every team member can access and that auditors can find easily.
  • Assigning all cybersecurity work to one overloaded person without documenting support or escalation paths. Solution: break responsibilities into functional areas (backup, patching, user management, compliance) and assign or share explicitly.
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 6 (Data Protection Officer and processing responsibilities) and Schedule 2 (governance requirements for personal data handling)
CERT-In 2022 Directions Direction 4 (implement cybersecurity governance and assign accountability) and Direction 5 (incident response procedures and roles)
ISO 27001:2022 Clause 5.1 (leadership and commitment), Clause 5.3 (roles and responsibilities), and Annex A.5.1 (policies and objectives)
NIST CSF 2.0 Govern (GV) function: GV.RO (roles, responsibilities, and authorities) and GV.OC (organizational objectives)

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →