Quiz Entry - updated: 2026.07.05
What are the requirements for an information security organization within a company?
It must fit the company's processes and responsibilities, sit close to top management, possess autonomous AKV (tasks, authority, responsibility) with its own budget — and hold subject-bound directive competence.
* A RACI matrix makes AKV explicit — exactly one Accountable per task across CISO, IT-Ops, Management, Audit. *
The four requirements:
- Respect existing processes and Zuständigkeiten (responsibilities) in the firm — security must integrate, not collide
- Nahe an der Geschäftsleitung (close to executive management) — its structure usually mirrors the company's structure
- AKV: autonomous, with its own budget and resources — Aufgaben, Kompetenzen, Verantwortung granted together; a security function without budget is decoration
- Fachgebundene Richtlinienkompetenz — the authority to issue binding directives within its subject area (security), even though it is not in the normal chain of command
Tip: Point 4 resolves the classic staff-position dilemma: as a staff function the CISO can't command anyone — except that for security topics, directive competence is explicitly granted. Without it, every security policy is merely a suggestion.
Go deeper:
Stabsstelle (Wikipedia DE) — Hintergrund zur Stabsfunktion ohne Weisungsbefugnis (fachgebundene Richtlinienkompetenz).
RACI (Wikipedia DE) — Verantwortlichkeitsmatrix (Responsible/Accountable/Consulted/Informed) zur klaren AKV-Zuordnung.