Overall responsibility lies with the agency head

If you’re an agency head, you’re accountable for information security within your agency. You are also the accreditation authority for your organisation.

Note: The person responsible for an organisation may have a different title. For example, chief executive officer (CEO), director-general, director, or similar.

Delegate accreditation authority carefully

When you choose to delegate your accreditation authority, you should carefully consider all the associated risks, as you remain responsible for the decisions your delegate makes.

Your delegate should be a senior executive and hold specialised knowledge in information security and security risk management, preferably your chief information security officer (CISO).

If your delegate is not the CISO, they must at least be a member of the senior executive team or in an equivalent management position.

If you delegate authority to a board, committee, or panel, the requirements of this section apply to the chair or head of that body.

When your organisation is small, and duties can’t be fully separated

If you can’t satisfy all separation of duty requirements because of the size of your organisation, you should ensure that potential conflicts of interest are clearly identified, declared, and actively managed.

Support information security throughout your organisation

Without your full support, your people might not have access to enough resources and authority to successfully implement information security within your organisation.

If an incident, breach, or disclosure of official or classified information occurs in preventable circumstances, you will ultimately be held accountable.

You must provide support for developing, implementing, and maintaining information security processes within your organisation.

Page last modified: 4/05/2022