Key ISMS Roles: ISM, CISO, Risk Owner – Who Does What?

TL;DR

An ISMS needs at least five clearly defined roles: top management, ISM/CISO, risk owner, asset owner, and measure owners.
The ISM coordinates the ISMS but does not bear overall responsibility – that remains with top management.
Combining IT manager and ISM in one person creates a conflict of interest that auditors regularly flag.
Even a 100-employee company can sensibly fill all roles – with clear delineation and without full-time positions for each role.
A RACI matrix makes transparent who is responsible, accountable, consulted, or informed for each ISMS task.

An ISMS is not a software tool or a filing cabinet. It is a management system – and management systems only work when it is clear who takes on which tasks. ISO 27001 explicitly requires this in several clauses: roles, responsibilities, and authorities must be defined and communicated.

In practice, this is where things surprisingly often fail. The information security manager is supposed to somehow do everything, top management signs off on documents without reading them, and nobody feels responsible for risk assessments. The result: an ISMS that exists on paper but does not live in daily operations.

This article shows you which roles an ISMS truly needs, what each role specifically does, and how to fill them sensibly even in a mid-market company with limited resources.

The Five Core ISMS Roles at a Glance

Before we dive into the details, here are the five roles that appear in every ISMS – regardless of company size and industry:

Top Management (Executive Leadership)
Information Security Manager (ISM) / CISO
Risk Owner
Asset Owner
Measure Owner

Depending on company size, additional roles may be needed – such as a dedicated data protection officer, an IT security architect, or an audit manager. But these five form the foundation.

Top Management: More Than Just a Signature

Top management bears overall responsibility for information security. This is not a platitude but a central requirement of ISO 27001 (clause 5.1). Specifically, this means:

Setting strategic direction: Top management defines the information security policy and ensures that security objectives align with the business strategy.
Providing resources: Budget for tools, training, external consulting, and – crucially – sufficient working time for the ISM and other ISMS participants.
Leading by example: If top management ignores security policies, the rest of the organization will too. Culture is set from the top.
Conducting management review: At least once a year, top management must evaluate the ISMS effectiveness in a management review and make documented decisions.
Accepting risks: Residual risks remaining after treatment must be formally accepted by top management. This decision cannot be delegated.

A common mistake in practice: top management delegates everything to the ISM and stays completely out of the picture. This becomes apparent at the latest during an audit, because the required management review is either missing or was obviously performed only pro forma.

The Information Security Manager (ISM) / CISO

The ISM is the central operational figure in the ISMS. They coordinate, advise, monitor, and report. But – and this is a widespread misconception – they do not bear overall responsibility. That lies with top management. The ISM is the engine, not the vehicle owner.

Core Tasks of the ISM

Building and developing the ISMS: The ISM creates and maintains documentation, coordinates risk analyses, and ensures the system lives rather than merely existing.
Coordinating risk analyses: They moderate the process, provide methods, and ensure all relevant areas are included. The actual risk assessment lies with the risk owners.
Managing security incidents: The ISM is the first point of contact for incidents, coordinates the response, and ensures follow-up.
Training and awareness: Planning, conducting, and measuring the effectiveness of employee awareness programs.
Coordinating internal audits: While they should not conduct audits themselves (independence), they ensure planning, execution, and follow-up of findings.
Reporting to top management: Regular reports on ISMS status, open risks, incidents, and progress on measures.

ISM vs. CISO: Is There a Difference?

In the German SME landscape, the role is usually titled ISB (Informationssicherheitsbeauftragter, i.e. Information Security Manager). The CISO (Chief Information Security Officer) is more common in larger organizations and typically sits at C-level. Functionally, the roles are very similar, but the CISO generally has more decision-making authority and a dedicated budget.

For most mid-market companies, the ISM designation is perfectly sufficient. What matters is not the title but that the person has adequate competence, authority, and resources.

Internal vs. External ISM: Pros and Cons

One of the most frequent questions during ISMS build-up: should the ISM be an internal employee, or should we engage an external service provider? Both have clear pros and cons.

Internal ISM

Pros:

Knows the company, processes, and people.
Always on-site and reachable.
Can actively shape the security culture in everyday work.
Builds internal know-how that stays within the organization.

Cons:

Requires solid training and continuous professional development.
Often a part-time role alongside other duties – the ISMS quickly takes a back seat.
Potential operational blindness after a few years.
Harder to voice uncomfortable truths to colleagues and superiors.

External ISM

Pros:

Brings broad experience from various companies and industries.
Objective outside perspective, no operational blindness.
Can push through unpopular measures more easily because they are not part of the internal hierarchy.
Immediately operational, without a lengthy ramp-up period on ISMS topics.

Cons:

Higher ongoing costs than an internal part-time solution.
Not always immediately reachable during acute incidents.
Does not know the company as well as an internal employee initially.
Know-how remains with the service provider, not within the company.

Practical recommendation: For getting started with an ISMS, an external ISM is often the more pragmatic choice – especially when no internal security expertise exists yet. In the medium term, however, building an internal role is worthwhile, with the external ISM then serving as a sparring partner.

Can the IT Manager Also Be the ISM?

The short answer: it is not forbidden, but it is problematic.

The detailed answer: the IT manager is responsible for operating the IT infrastructure. The ISM is supposed to, among other things, verify whether that infrastructure is securely operated. When both roles are combined in one person, that person is checking their own work. This is a classic conflict of interest.

Why This Goes Wrong in Practice

Take a concrete example: the risk analysis reveals that the mail server urgently needs to be updated. As IT manager, you know that the migration project will take three months and you currently have no capacity. As ISM, you would need to escalate exactly this risk and push for action. In the dual role, this escalation doesn't happen – the risk gets downplayed or postponed.

What Auditors Say

ISO 27001 requires in clause 5.3 that roles and responsibilities be assigned in a way that ensures impartiality. Many auditors view the IT manager/ISM combination as a nonconformity or at least an observation. For companies subject to NIS2, this becomes even more critical because the accountability requirements are stricter.

Pragmatic Solution for Small Companies

If a separation is not possible in terms of staffing, there are compensating measures:

External review: An external consultant conducts regular reviews of IT security measures.
Separate reporting line: The ISM reports in this role directly to top management, not to themselves as IT manager.
Documented conflict of interest policy: A written record of how conflicts are handled.
Regular audits: More frequent internal or external audits partially compensate for the missing control function.

This is not ideal. But for a company with 30 employees, it is an acceptable transitional solution, provided the compensating measures are actually practiced.

Risk Owner: The Often-Forgotten Key Role

The risk owner is responsible for the treatment of a specific risk. This sounds simple but is surprisingly often misunderstood or completely ignored in practice.

What the Risk Owner Specifically Does

Assessing risks: They know the business process best and can realistically estimate the likelihood of occurrence and impact.
Choosing treatment options: Avoid, mitigate, transfer, or accept – this decision is made by the risk owner, not the ISM.
Monitoring measure implementation: They ensure that agreed-upon measures are actually implemented.
Accepting residual risk: When residual risk remains after treatment, the risk owner formally accepts it.

Who Becomes a Risk Owner?

Typically, the person who is responsible for the affected business process or area. The head of accounting is the risk owner for risks affecting the financial system. The sales director for risks related to the CRM. The IT manager for IT infrastructure risks.

The ISM is explicitly not the risk owner for all risks – even though this is often how it is handled in practice. When the ISM "owns" all risks, the anchoring in the business unit is missing. The risk assessment then becomes abstract and detached from reality.

Asset Owner: Who Owns What?

Every information asset needs an owner. ISO 27001 requires this in Annex A (control A.5.9). The asset owner is responsible for ensuring the asset is appropriately protected.

Typical Tasks

Classification: The asset owner determines the protection requirement (e.g., confidential, internal, public).
Defining access rights: Who may access the asset? The asset owner sets the requirements within the access rights concept; IT implements them technically.
Managing the lifecycle: From creation through use to secure disposal or archiving.

Example

The head of HR is the asset owner of personnel files. They determine that these are classified as "confidential," that only HR and the direct supervisor have access, and that files are retained according to statutory retention periods after the employee leaves.

The asset owner is often identical with the risk owner for the respective asset – but does not have to be.

Measure Owners: The Implementers

Measure owners implement the concrete security measures that result from risk treatment. They are the operational forces in the ISMS.

What They Do

Implementing measures: Technical measures (firewall rule, encryption, backup concept) or organizational measures (policies, training, process changes).
Demonstrating effectiveness: Documenting that the measure has been implemented and works.
Meeting deadlines: Every measure has a deadline. The measure owner ensures it is met.
Reporting deviations: When implementation stalls or does not work as planned, they provide feedback to the risk owner and the ISM.

In many cases, measure owners are IT staff, system administrators, or team leaders. The role is assigned per measure – one person can be responsible for multiple measures.

RACI Matrix for Typical ISMS Tasks

A RACI matrix makes responsibilities transparent at a glance. The letters stand for:

R = Responsible (carries out the task operationally)
A = Accountable (bears overall responsibility, approves the result)
C = Consulted (is asked before a decision is made)
I = Informed (is notified of the result)

ISMS Task	Top Management	ISM/CISO	Risk Owner	Asset Owner	Measure Owner
Define security policy	A	R	I	I	I
Conduct risk analysis	I	R	A	C	I
Assess risks	I	C	A/R	C	I
Decide risk treatment	A	C	R	C	I
Implement measures	I	C	A	C	R
Asset classification	I	C	I	A/R	I
Plan internal audit	A	R	I	I	I
Manage security incident	I	A/R	C	C	R
Conduct awareness training	A	R	I	I	I
Management review	A/R	R	C	I	I
Accept residual risk	A	C	R	I	I
Report metrics	I	R	C	C	I

This matrix is a starting point. In your company, individual assignments may differ depending on organizational structure and company size. What matters is that every task has exactly one "A" – it must never be unclear who ultimately bears responsibility. In ISMS Lite, roles can be assigned directly to ISMS processes, making it transparent for every task who is responsible, accountable, and informed.

Practical Example: Role Assignment in a 100-Employee Company

What does a realistic role assignment look like in a mid-market company with about 100 employees? Here is an example:

Top Management (CEO/Managing Director)

Approves the security policy and risk budget.
Conducts the annual management review.
Accepts residual risks above a defined threshold.
Time commitment: approximately 2-4 hours per month.

ISM (Quality manager or IT-savvy employee, 30-50% of working time)

Coordinates all ISMS activities.
Maintains documentation and the risk register.
Conducts awareness training.
Reports quarterly to top management.
Ideally not the IT manager (see above).

Risk Owners (Department heads, each in their respective role)

Sales director: Risks related to CRM, customer data, sales processes.
Head of Finance: Risks of the ERP system, payment transactions, financial data.
Head of HR: Risks of personnel management, applicant data, onboarding.
IT manager: Risks of IT infrastructure, servers, network, cloud services.
Time commitment per person: approximately 2-4 hours per month.

Asset Owners (often identical with risk owners)

Sales director owns the CRM and the customer database.
IT manager owns the servers, network infrastructure, and backup systems.
Head of HR owns the personnel files and the HR system.
Additional effort: minimal, since classification is a one-time activity and only updated when changes occur.

Measure Owners (IT team, team leaders)

System administrator: Technical measures such as patch management, firewall configuration, backup tests.
IT support: Endpoint security, user account management.
Team leaders: Organizational measures such as clean desk policy, visitor regulations.
Time commitment: varies by measure, typically 2-8 hours per measure.

This sounds like a lot of effort but is distributed across many shoulders. No single employee is overwhelmed by the ISMS, and responsibility lies where the expertise sits.

Common Mistakes in Role Assignment

To conclude, the five most common mistakes you should avoid when assigning roles:

1. The ISM does everything alone. The ISMS becomes a one-person project. When the ISM falls ill or leaves the company, everything collapses. Actively distribute responsibility across multiple shoulders.

2. Risk owners are not designated. Risks exist in the risk register, but nobody feels responsible. Every risk needs a named owner – not a department, but a specific person.

3. Top management is not involved. Top management signs the security policy and then stays completely out of the picture. Without genuine engagement from the top, the ISMS lacks enforcement power.

4. Roles are assigned but not communicated. It is not enough to record roles in a document. Every person must know which role they have and what is specifically expected of them. This requires a brief training session or at least a personal conversation.

5. IT manager and ISM combined without compensation. The conflict of interest is ignored. If separation is not possible, compensating measures must be documented and practiced.

How to Get Started

The role assignment does not have to be complicated. Start with these three steps:

Define roles: Use the five roles from this article as a starting point and adapt them to your organizational structure.
Assign people: Name a specific person for each role. Document the assignment and have it approved by top management.
Create a RACI matrix: Build a matrix for the most important ISMS tasks and discuss it with all stakeholders. This ensures everyone knows what is expected of them.