LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What are the requirements for an information security organization within a company?

It must fit the company's processes and responsibilities, sit close to top management, possess autonomous AKV (tasks, authority, responsibility) with its own budget — and hold subject-bound directive competence.

RACI responsibility matrix — tasks as rows, roles as columns, R/A/C/I cells.

* A RACI matrix makes AKV explicit — exactly one Accountable per task across CISO, IT-Ops, Management, Audit. *

The four requirements:

  1. Respect existing processes and Zuständigkeiten (responsibilities) in the firm — security must integrate, not collide
  2. Nahe an der Geschäftsleitung (close to executive management) — its structure usually mirrors the company's structure
  3. AKV: autonomous, with its own budget and resources — Aufgaben, Kompetenzen, Verantwortung granted together; a security function without budget is decoration
  4. Fachgebundene Richtlinienkompetenz — the authority to issue binding directives within its subject area (security), even though it is not in the normal chain of command

Tip: Point 4 resolves the classic staff-position dilemma: as a staff function the CISO can't command anyone — except that for security topics, directive competence is explicitly granted. Without it, every security policy is merely a suggestion.

Go deeper:

  • doc Stabsstelle (Wikipedia DE) — Hintergrund zur Stabsfunktion ohne Weisungsbefugnis (fachgebundene Richtlinienkompetenz).
  • doc RACI (Wikipedia DE) — Verantwortlichkeitsmatrix (Responsible/Accountable/Consulted/Informed) zur klaren AKV-Zuordnung.

From Quiz: ISM / Organisationsformen & Entscheidungswege | Updated: Jul 05, 2026