Roles and Responsibilities Matrix

Security roles and responsibilities for ISMS implementation

Public

Purpose

This matrix defines information security roles and responsibilities across the organisation, ensuring accountability and clarity for ISMS implementation and maintenance.

Role Structure

Note: In a small team, individuals may hold multiple roles. This matrix defines responsibilities, not necessarily separate people.

Current state: As a sole operator, the Founder currently holds all roles defined below. Role definitions are maintained for future team growth and to satisfy ISO 27001 requirements for documented responsibilities.

Executive Roles

ISMS Owner

Overall ISMS accountability and strategic direction

ResponsibilityDescriptionFrequency
ISMS LeadershipDemonstrate leadership and commitment to ISMSOngoing
Policy ApprovalApprove information security policies and major changesAs needed
Resource AllocationEnsure adequate resources (budget, staff, tools) for securityAnnually
Management ReviewChair quarterly management review of ISMSQuarterly
Risk AcceptanceAccept residual risks after treatmentQuarterly
External ReportingReport to stakeholders on security postureAs needed
CertificationSponsor ISO 27001 certification processWhen commercially justified

Authority: Final decision on all security matters

Reports to: Board / Stakeholders

Skills: Strategic thinking, risk management, compliance knowledge

Operational Roles

Security Lead

Day-to-day ISMS implementation and security operations

ResponsibilityDescriptionFrequency
ISMS MaintenanceMaintain and update ISMS documentationOngoing
Risk ManagementConduct risk assessments, maintain risk registerQuarterly
Incident ResponseLead security incident responseAs needed
Access ControlManage access to critical systems (Cloudflare, GitHub)Ongoing
Audit CoordinationCoordinate internal and external auditsAnnually
Cryptographic Key ManagementGenerate, store, rotate signing and HMAC keysPer schedule
Security MonitoringMonitor security logs, vulnerability scans, alertsDaily
Supplier ManagementAssess and monitor critical suppliers (Cloudflare, GitHub)Quarterly
Policy ImplementationImplement security policies and proceduresOngoing
Training CoordinationEnsure team completes security awareness trainingOnboarding + Annual
Compliance MonitoringTrack compliance with policies and controlsOngoing
Metrics ReportingCollect and report security metricsMonthly

Reports to: ISMS Owner

Skills: Information security, cryptography, cloud security, incident response

Developer

Secure development and operational security

ResponsibilityDescriptionFrequency
Secure CodingFollow secure development practicesDaily
Code ReviewReview code for security issues before mergePer PR
Security TestingRun security scans, fuzzing, static analysisPer PR
Dependency ManagementMonitor and update dependencies for vulnerabilitiesWeekly
Change ManagementFollow change management proceduresPer change
Incident SupportSupport Security Lead during incidentsAs needed
Configuration ManagementMaintain secure configurations (wrangler.toml)Per change
DocumentationDocument security-relevant architecture and codeOngoing
Security ToolsUse approved security tools (MFA, password manager)Daily
Reporting IssuesReport security concerns or incidents immediatelyAs needed

Reports to: ISMS Owner

Skills: Secure coding, cryptography libraries, testing, DevSecOps

Specialized Responsibilities

Cryptography Specialist

Cryptographic implementation and key lifecycle

ResponsibilityDescriptionFrequency
Algorithm SelectionChoose and approve cryptographic algorithmsAs needed
Key GenerationGenerate cryptographic keys securelyPer rotation
Key StorageEnsure secure storage of signing and HMAC keysOngoing
Key RotationRotate keys per schedule or on compromiseAnnually
Key BackupMaintain encrypted offline backupsPer rotation
JWKS ManagementPublish and update verification keysPer rotation
Key Status ManagementMaintain key lifecycle status (Active -> Deprecated -> Disabled)Ongoing
Cryptographic ReviewReview crypto code changes for correctnessPer PR

Authority: Approve all cryptographic implementation changes

Skills: Applied cryptography, ZKP, elliptic curves, key management

Compliance Officer

Regulatory and standards compliance

ResponsibilityDescriptionFrequency
Privacy ComplianceEnsure Australian Privacy Act complianceOngoing
ISO 27001 ComplianceMaintain ISMS per ISO 27001:2022 requirementsOngoing
Audit PreparationPrepare evidence for internal and external auditsQuarterly
Policy UpdatesUpdate policies for regulatory changesAs needed
DocumentationMaintain compliant records and documentationOngoing
Training RecordsTrack and report security training completionQuarterly

Authority: Interpret compliance requirements, recommend changes

Skills: ISO 27001, privacy law, audit processes

RACI Matrix

Responsible | Accountable | Consulted | Informed

ISMS Management

TaskISMS OwnerSecurity LeadDeveloperExternal Auditor
ISMS Policy ApprovalARC-
ISMS DocumentationARC-
Management ReviewA/RRI-
Internal AuditARI-
External AuditARCR

Risk Management

TaskISMS OwnerSecurity LeadDeveloper
Risk AssessmentARC
Risk Treatment PlanARC
Risk AcceptanceA/RCI
Risk MonitoringIRI

Incident Response

TaskISMS OwnerSecurity LeadDeveloper
Incident DetectionIRR
Incident ResponseARR
Incident ReportingIRR
Post-Incident ReviewARC

Access Control

TaskISMS OwnerSecurity LeadDeveloper
Access ProvisioningARI
Access ReviewARI
Access RevocationARI
MFA EnforcementARR

Cryptographic Operations

TaskISMS OwnerCryptography SpecialistDeveloper
Algorithm SelectionARC
Key GenerationAR-
Key StorageAR-
Key RotationARI
Crypto Code ReviewIRC

Secure Development

TaskISMS OwnerSecurity LeadDeveloper
Secure CodingACR
Code ReviewICR/A
Security ScanningICR
Dependency UpdatesICR
SLSA ComplianceARR

Training

TaskISMS OwnerSecurity LeadDeveloper
Training ContentARC
Training DeliveryIRR (self-paced)
Training RecordsIR-

All Staff Responsibilities

Every team member, regardless of role:

  1. Understand and comply with information security policies
  2. Complete security awareness training (onboarding + annual)
  3. Report security incidents or concerns immediately
  4. Protect credentials (use password manager, enable MFA)
  5. Follow acceptable use policy for workstations and accounts
  6. Respect information classification (don’t share Restricted data)
  7. Ask Security Lead if unsure about security requirements
  8. Contribute to security culture and continuous improvement

Role Assignment

Current Assignments (as of February 2026):

RoleAssigned ToBackup
ISMS OwnerFounder-
Security LeadFounder (sole operator)-
DeveloperFounder (sole operator)-
Cryptography SpecialistFounder (sole operator)-
Compliance OfficerFounder (sole operator)-
Incident Response LeadFounder (sole operator)-
Audit CoordinatorFounder (sole operator)-

Note: As a sole operator, the Founder currently holds all defined roles. Role definitions are maintained for future team growth, and named assignments will be updated as roles are filled. Role assignments are available for auditor review upon request.

Delegation of Authority

ISMS Owner may delegate day-to-day activities to Security Lead, but retains accountability for:

  • Final approval of policies
  • Risk acceptance decisions
  • Resource allocation
  • Management review outcomes

Security Lead has authority to:

  • Implement security controls
  • Respond to security incidents
  • Revoke access in emergency
  • Update non-policy procedures
  • Coordinate audits

Security Lead must escalate to ISMS Owner:

  • Major incidents (P0/P1)
  • Major policy changes
  • Significant risks
  • Resource constraints affecting security
  • Findings from audits requiring management decision

Competence Requirements

ISMS Owner

Required:

  • Understanding of ISO 27001 requirements
  • Risk management knowledge
  • Strategic leadership experience

Desirable:

  • Information security certification (CISSP, CISM)
  • Experience with ISMS implementation

Security Lead

Required:

  • Information security technical knowledge
  • Cryptography fundamentals
  • Cloud security (Cloudflare Workers)
  • Incident response experience
  • ISO 27001 familiarity

Desirable:

  • Security certification (CISSP, OSCP, CEH)
  • Zero knowledge proof understanding
  • Previous audit experience

Developer

Required:

  • Secure coding practices
  • Understanding of OWASP Top 10
  • Version control (Git) and code review
  • Dependency management

Desirable:

  • Security testing (fuzzing, static analysis)
  • Cryptography libraries experience

Training provided: Security awareness, secure coding workshops, ZKP specifics

Role Changes

When roles change (new hire, departure, restructure):

  1. Update this matrix
  2. Update Asset Register (ownership changes)
  3. Review and update access (provisioning or revocation)
  4. Transfer knowledge (documentation, handover meeting)
  5. Update audit plans (if auditor changes)
  6. Notify in management review

Documented: Within 5 business days of change

Document Information

  • Version. 2.0
  • Effective Date. 2025-01-13 (initial), 2026-02-16 (updated)
  • Owner. ISMS Owner
  • Review Frequency. Annually (or when roles change)
  • Next Review. 2027-01-13
  • Classification. Public