Question: Has the organization formally defined its information security and privacy governance structure with clear roles and reporting lines?
Objective — Why This Matters
Without a clear governance structure, security and privacy efforts drift and accountability blurs. MSMEs need an explicit org model (even if lean) so that decisions, exceptions, and escalations are owned and auditable. This reduces delays during incidents and makes compliance reviews straightforward.
Maturity Levels (0–5)
0 — Unaware
No governance model or it exists only in people’s heads.
No governance model or it exists only in people’s heads.
1 — Ad Hoc
Informal roles; responsibilities overlap; no documented authority.
Informal roles; responsibilities overlap; no documented authority.
2 — Defined
Basic governance charter with roles (e.g., CISO/DPO), reviewed annually.
Basic governance charter with roles (e.g., CISO/DPO), reviewed annually.
3 — Managed
Committee meets on a cadence; decisions tracked; escalation paths working.
Committee meets on a cadence; decisions tracked; escalation paths working.
4 — Integrated
Governance linked to enterprise risk, KPIs, and budget planning.
Governance linked to enterprise risk, KPIs, and budget planning.
5 — Optimized
Governance continually improved; independent oversight and benchmarking.
Governance continually improved; independent oversight and benchmarking.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Write a one-page governance note naming security/privacy leads; publish in the intranet. |
| 1 → 2 | Approve a governance charter with RACI; add reporting lines to org chart. |
| 2 → 3 | Stand up a cross-functional committee (IT, Legal, Operations) with a monthly agenda and minutes. |
| 3 → 4 | Tie governance reviews to risk register/KPIs; include budget requests and decision logs. |
| 4 → 5 | Commission annual independent review; adopt external benchmarking (e.g., NIRMATA scores). |
People / Process / Technology Enablers
- People: Named Security Lead, Privacy Lead (could be fractional for MSMEs), Exec Sponsor.
- Process: Governance charter, RACI, escalation matrix, meeting calendar.
- Technology: Shared drive/wiki for decisions; ticketing for actions; simple dashboard.
Evidence Required
- Org chart with security/privacy roles highlighted.
- Approved governance charter and RACI.
- Committee calendar and last 3 meeting minutes.
- Escalation matrix distributed to teams.
Metrics / KPIs
- % meetings held vs planned; % actions closed on time.
- Time from escalation to decision.
- % policies reviewed/approved per cycle.
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Documentation | GitHub / GitLab Wiki | Versioned governance pages, change history. |
| Action tracking | Trello / GitHub Issues | Keep decision/action logs with owners and due dates. |
| Dashboards | Metabase / Redash | Simple KPI views from spreadsheets. |
Common Pitfalls
- Naming roles without mandate or time allocation.
- Committees that meet but don’t track decisions/actions.
- Governance that ignores vendors and cloud services.
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001:2022 | 5.3, 5.1 (leadership), Annex A.5.1 |
| DPDP Act 2023 | Sec 10 (roles, accountability) |
| GDPR (orientation) | Art. 24-25 (responsibility) |
| NIRMATA Scoring | GL-Q01 evidence anchors; Level ≥3 requires charter + minutes. |