When no one owns IT security, problems get ignored until they become disasters. A manufacturing business in Bangalore had a server breached because the owner thought the IT vendor was monitoring it, but the vendor thought the owner would tell them if something was wrong—by the time anyone noticed, customer payment data was stolen and they faced a ₹50 lakh regulatory fine plus lost three major clients. Without clear ownership, you cannot prove to auditors, banks, or insurance companies that you are protecting data, which can block loans, contracts, and certifications. When an incident happens, confusion about who is responsible delays response time, making damage worse.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no formal IT support or security role at all—the owner occasionally asks someone who 'knows computers' to look at problems when they happen. Nobody has written responsibility for infrastructure or security in any job description or agreement.
Initial
You have one person (internal IT staff or a part-time vendor) who handles IT issues, but their role is informal and mostly reactive—they fix things when users complain, with no documented responsibilities or on-call procedures. There is no written agreement or email saying who owns what parts of IT security.
Developing
You have assigned someone (internal IT lead or an external vendor contract) to be responsible for IT infrastructure, and they have a basic job description that mentions 'IT support' and 'security'—but there is no clear document stating what systems they own, what they must monitor, or what happens if they leave. Coverage gaps exist during holidays or if that one person is sick.
Defined
You have a documented IT Owner role (internal or vendor-based) with a written charter that lists specific responsibilities: servers, backups, firewalls, user access, incident response, and regular updates. The role is linked to your organization chart, and there is a backup person named in case the primary owner is unavailable, but responsibilities are not formally reviewed yearly.
Managed
You have a formal, written IT Security Owner role with clear responsibility boundaries defined in a RACI matrix (who is Responsible, Accountable, Consulted, Informed for each infrastructure and security task). The role has a documented on-call schedule, escalation path, and is reviewed annually with performance metrics; a vendor contract includes SLAs and consequences for lapses.
Optimised
You have a multi-tiered IT and security ownership model with a primary IT Owner, a dedicated Security Lead (internal or contracted), and named backup individuals for critical functions. Responsibilities are codified in a detailed RACI matrix, reviewed and updated quarterly, with formal escalation procedures, documented hand-offs, and metrics tracked in your governance meetings; third-party vendors sign agreements with explicit security accountability clauses and audit rights.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Write a simple one-page document naming one person as 'IT Owner' and listing their basic responsibilities: servers, passwords, backups, virus protection, user accounts. Have the owner and one senior staff member sign it. | Business Owner with IT person | 1 day |
| 1 → 2 | If using a vendor, convert the informal arrangement into a written contract or statement of work that explicitly assigns responsibility for infrastructure maintenance, security monitoring, and incident response. If internal, create a formal job description. | Business Owner and IT lead or Vendor Manager | 3-5 days |
| 2 → 3 | Create a RACI matrix (one-page table) listing all key IT assets (servers, network, backups, access control, updates, incident response) and clearly mark who is Responsible and Accountable for each. Identify and document a backup person for each critical function. | IT Owner with Business Owner approval | 1-2 weeks |
| 3 → 4 | Formalize the IT Owner role into a detailed charter with performance metrics (e.g., 'patch critical vulnerabilities within 7 days', 'respond to security incidents within 2 hours'), include on-call coverage schedule, and ensure vendor contracts have SLAs with financial penalties for non-compliance. | IT Owner and Business Owner, possibly HR | 3-4 weeks |
| 4 → 5 | Establish a multi-person governance model with a primary IT Owner and a dedicated Security Lead reporting to management; hold quarterly reviews of the RACI matrix, audit vendor compliance, and maintain a decision log of any changes to ownership or responsibilities. | Senior Management, IT Owner, Security Lead | Ongoing (2-3 hours per month) |
Documents and records that prove your maturity level.
- A written role charter or job description clearly naming the IT Owner and listing their responsibilities for infrastructure security, monitoring, and incident response
- A RACI matrix (responsibility assignment chart) showing who is responsible and accountable for each major IT system and security function (servers, backups, network, user access, patching, incident response)
- A signed agreement or contract with your IT vendor (if external) that explicitly assigns security responsibilities, defines SLAs, and states consequences for non-compliance
- An on-call or escalation schedule document showing backup coverage for the IT Owner role during absences, holidays, or emergencies
- Minutes from management meetings or annual reviews documenting that IT ownership and security responsibilities have been reviewed and confirmed by leadership
Prepare for these questions from customers or third-party reviewers.
- "Who is responsible for managing and maintaining your IT infrastructure, and do you have a written document assigning this role?"
- "If your IT Owner is unavailable (sick, on leave, or departed), who takes over their security responsibilities and how is this handoff documented?"
- "Can you show me a list of critical IT systems and for each one, who is accountable if something fails or is not secure?"
- "What happens if your IT support vendor fails to patch a critical server or misses a security incident—who is held accountable and what are the consequences?"
- "How often do you review and confirm that IT ownership responsibilities are still clear, and is there evidence of this review in your records?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and maintain a RACI matrix or responsibility chart | Google Sheets or LibreOffice Calc with a simple table template | Smartsheet (approx ₹3,000–8,000/year for small teams) or Monday.com (approx ₹2,500–5,000/year) |
| Document roles, responsibilities, and escalation procedures | Google Drive, Notion (free tier), or Microsoft OneDrive with shared document templates | Confluence by Atlassian (approx ₹5,000–15,000/year) or Gitbook (approx ₹3,000–10,000/year) |
| Track IT incidents and assign ownership/accountability | Jira Community License (free for up to 10 users) or Odoo Community (open-source) | Jira Standard (approx ₹7,000–12,000/user/year) or ServiceNow (approx ₹50,000+/year) |
- Assuming the IT vendor 'owns everything'—vendors are contractors and do not own accountability; the business owner always remains legally responsible. Get everything in writing.
- Naming an IT owner informally (e.g., 'Rajesh handles IT') without a document—when Rajesh leaves or is unavailable, nobody knows what he was supposed to be doing, and critical tasks slip through cracks. Always document it.
- Creating a role but not defining what systems or functions it covers—an owner might think they are responsible only for email, while the boss expects them to handle backups and firewalls too. Use a RACI matrix to be specific.
- Not having a backup owner for critical functions—if your one IT person falls ill during a ransomware attack, your business is stuck. Always name a secondary contact in writing.
- Setting up ownership but never reviewing it—over time, people's roles change, new systems are added, and responsibilities become outdated. Schedule an annual review with your IT owner and management to confirm and update ownership.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8(1) requires organizations to designate a Data Protection Officer (or equivalent accountability officer); Section 5 requires security measures with clear responsibility for implementation and maintenance |
| CERT-In 2022 | Direction 4.1 mandates organizations assign responsibility for IT security governance; Direction 5 requires documented incident response with clear ownership and escalation |
| ISO 27001:2022 | Clause 5.1 (Leadership and Commitment) requires management to assign roles and responsibilities for information security; Annex A.6.1 (Organization of Information Security) requires establishment of information security roles and responsibilities |
| NIST CSF 2.0 | Govern function GV.RO-02 requires assignment of clear roles and responsibilities for cybersecurity; Protect function PR.AC-01 requires access control and accountability mechanisms |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →