Skip to content
English
Back to adoptech.co.uk
  • There are no suggestions because the search field is empty.

Clarifying Roles and Responsibilities

Why is clarifying roles and responsibilities important and what are the typical roles?

The Roles and Responsibility Policy defines the critical roles and responsibilities relating to your Management system whether this is an Integrated Management System (IMS) or specifically for one area such a Quality Management System (QMS), Information Security Management System (ISMS), Environmental Management System (EMS), Artificial Intelligence Management System (AIMS) or Cyber Assessment Framework (CAF).

It is important that roles and responsibilities are clearly defined and allocated so everyone is clear who is responsible.

 

Information Security

It is important that roles and responsibilities are clearly defined and allocated. These may be outlined within procedural documents or through ownership of tasks in eg Adoptech or a ticketing system. The following are areas that should be considered:

  • protection of individual assets – within an asset inventory
  • information security risk management activities and in particular for acceptance of residual risks
  • incident management 
  • change control
  • the maintenance of each company policy
  • the implementation of controls designed to mitigate information security risks as outlined in the company policies
  • the execution of information security tasks that are required to fulfil control objectives
  • the information security risks associated with suppliers
  • external information security communications, such as those with authorities or special interest groups e.g. The National Cyber Security Centre (NCSC) or Information Commissioner’s Office (ICO)
  • threat intelligence - analysis and communication
Example roles and responsibilities that might be defined for information security in the Roles and Responsibilities policy include:
  • Documentation and compliance of the Information Security Management System
  • Setting Information Security objectives and report on progress
  • Information security risk assessment
  • Overseeing and approving changes to the ISMS
  • IT operational change
  • Staff information security awareness training
  • Defining and controlling staff access rights
  • Asset management
  • Supplier management
  • Internal audit scheduling
  • Monitoring the risk register / action log
  • Background screening
  • Threat Intelligence - analysis and communication
  • Incident management 

Quality

For Quality Management, it is important that roles and responsibilities are clearly defined and allocated.  These may be outlined within procedural documents or through ownership of tasks in eg Adoptech or a ticketing system. The following are areas that should be considered:

  • Maintaining the integrity of the QMS 
  • Monitoring QMS performance
  • Promoting customer focus
  • Quality assurance
  • Quality improvement

Example roles and responsibilities that might be defined for Quality in the Roles and Responsibilities Policy include:

  • Documentation of the Quality Management System
  • Setting Quality objectives and report on progress
  • Maintain QMS business process documentation
  • Overseeing and approving changes to the QMS
  • Review quality assurance
  • Client service management 
  • Reporting of QMS performance
  • Monitor the action log

Artificial Intelligence (AIMS)

For Artificial Intelligence Management, it is important that roles and responsibilities are clearly defined and allocated. These may be outlined within procedural documents or through ownership of tasks in, e.g., Adoptech or a ticketing system. The following are areas that should be considered:

  • Oversight of AI governance and ethical principles
  • AI risk management and impact assessment activities
  • AI lifecycle management — design, development, validation, deployment, monitoring, and retirement
  • AI incident management and reporting
  • Data quality, lineage, and privacy management throughout the AI lifecycle
  • Ensuring model transparency, fairness, and explainability
  • Maintenance of the AI Management System (AIMS) documentation and controls
  • Supplier and third-party AI assurance
  • Regulatory, legal, and ethical compliance in the use of AI systems
  • Human oversight and accountability within AI decision processes

Example roles and responsibilities that might be defined for Artificial Intelligence in the Roles and Responsibilities Policy include:

  • Documentation and compliance of the Artificial Intelligence Management System (AIMS) with ISO 42001.
  • Setting AI objectives and reporting on progress
  • Conducting AI risk and impact assessments
  • Overseeing and approving changes to AI systems and related governance documents
  • Coordinating AI ethics reviews and oversight committee activities
  • Managing AI data governance, including data protection and bias mitigation
  • Monitoring AI performance, fairness, and drift metrics
  • Managing the AI Risk Register, Incident Register, and Action Log
  • Reviewing AI supplier performance and assurance evidence
  • Reporting AI compliance and audit outcomes to Senior Management

Environment

For Environmental Management, it is important that roles and responsibilities are clearly defined and allocated.  These may be outlined within procedural documents or through ownership of tasks in eg Adoptech or a ticketing system. The following are areas that should be considered:

  • Maintaining the integrity of the EMS 
  • Monitoring EMS performance
  • Promoting environmental initiatives

Example roles and responsibilities that might be defined for Environment in the Roles and Responsibilities Policy include:

  • Documentation of the Environmental Management System
  • Set Environmental objectives and report on progress
  • Maintain the Impacts and Aspects Register
  • Monitor the action log
  • Overseeing and approving changes to the EMS
  • Reporting of EMS compliance

Cyber Assessment Framework (CAF)

For CAF, it is important that roles and responsibilities are clearly defined and allocated across the organisation. These may be outlined within procedural documents or through ownership of tasks in Adoptech. The following are areas that should be considered:

  • Governance and oversight of CAF implementation
  • Management of security risks to essential functions
  • Asset identification and lifecycle management
  • Supply chain risk management
  • Protection of systems and data supporting essential functions
  • Monitoring and detection of cyber events
  • Incident response and recovery
  • Continual improvement and lessons learned

Example roles and responsibilities that might be defined for CAF in the Roles and Responsibilities Policy include:

  • Board-level CAF Lead / Senior Information Risk Owner (SIRO)
  • CAF Coordinator / Compliance Manager
  • Risk Manager
  • Asset Owner
  • Supply Chain Manager
  • Security Operations Lead / IT Manager
  • Internal Auditor / Assurance Officer
  • Training and Awareness Lead