Is there one person clearly responsible for "cyber" in your business (even if it’s not their full job)?
Demonstrate that the organization has formally designated one accountable individual for cybersecurity oversight with documented responsibilities and authority.
Description
What this control does
This control establishes a single named individual with defined accountability for cybersecurity governance, risk, and compliance activities within the organization, regardless of whether cybersecurity is their sole responsibility. The designated person serves as the primary point of contact for cyber incidents, risk decisions, policy oversight, and coordination with technical teams or third parties. This ensures clear ownership and prevents cybersecurity from becoming an unowned, diffused responsibility that falls through organizational cracks.
Control objective
What auditing this proves
Demonstrate that the organization has formally designated one accountable individual for cybersecurity oversight with documented responsibilities and authority.
Associated risks
Risks this control addresses
- Cybersecurity incidents are not escalated or responded to promptly because no single person owns the issue, leading to prolonged attacker dwell time
- Security policies and controls are inconsistently applied across departments due to lack of centralized coordination and decision authority
- Regulatory compliance gaps emerge because no individual is tracking obligations or coordinating audit responses
- Budget and resource allocation for security tools and training is deprioritized when no advocate has clear accountability
- Vendor security assessments and third-party risk management are neglected without a designated owner to manage the process
- Security awareness training and incident response planning lack continuity and organizational commitment without executive sponsorship
- Conflicting security decisions are made by different business units, creating exploitable inconsistencies in the security posture
Testing procedure
How an auditor verifies this control
- Request the current organizational chart, role descriptions, and any governance documentation identifying cybersecurity responsibilities
- Identify the individual formally designated as responsible for cybersecurity through appointment letters, job descriptions, or board/executive minutes
- Interview the designated individual to confirm their understanding of scope, authority, reporting lines, and specific cybersecurity duties
- Review evidence of the designated person's active involvement in cybersecurity activities within the past 90 days, such as meeting minutes, incident escalations, policy approvals, or risk assessments
- Verify that executive leadership and key department heads are aware of who holds cybersecurity accountability by reviewing communication records or conducting brief confirmatory interviews
- Examine whether the designated person has access to necessary resources, including budget authority or ability to escalate to decision-makers, by reviewing authorization matrices or procurement records
- Validate that the designation is documented in accessible governance materials such as policies, intranet pages, or incident response plans that reference the role by name or title
- Confirm the designation is current and has been reviewed within the past 12 months as part of organizational role reviews or governance updates