Recently, I have been thinking about what the roles and responsibilities of an information security manager should be. These thoughts partially originated from an academic desire to form a complete picture of what information security management at mid-tactical to strategic level could entail, and partially from a direct need to establish my own responsibilities.

My thoughts were very much influenced by Mike Rothman's Pragmatic CSO, as well as by ISACA work on the requirements for the certified information security manager (CISM) certification.
After giving it some thought; and especially after contemplating the work on the SABSA Model, I came up with the following list.
Tasks to be performed by the information security officer:

  • Develop information security goals and strategy.

  • Develop and maintain information security policy and standards.

  • Develop and maintain IT business continuity plan.

  • Resolve information security incidents.

  • Review logical authentication controls and access controls (network and systems).

  • Approve and review physical access control to IT facilities.

  • Provide solicited or unsolicited information security consultancy to all sections of IT and the rest of the organization.

  • Establish and maintain the organization's professional reputation in the field of information security management.


Tasks to be managed by the information security officer

  • Manage compliance with information security policies and standards.

  • Manage collection of information security metrics.

  • Manage information security awareness program.

  • Manage and assess information security risks.

  • Manage preparation for information security audits.

  • Manage approval of logical authentication and access controls.


Tasks to performed by other IT business units

  • Facilitate the collection of security metrics.

  • Facilitate regular reporting of collected metrics to information security officer.

  • Facilitate compliance monitoring and regularly report to information security officer.

  • Notify information security officer of any perceived risks to information security.

  • Assist information security officer with implementation of information security controls.

  • Assist information security officer with resolving information security incidents.

  • Implement information security policies and standards.

  • Develop and document information security procedures and guidelines.


There are some irregularities on the list that are caused by a bias to my current position.