THREAT BRIEFING · 15.07.2026 DEENFRES

Strategy & Governance

Which CISO Decision Rights Must Be Set Out in Writing

By Alec Chizhik · June 23, 2026 · 10 min read

Friday, 2:47 a.m. The SOC reports lateral movement in the ERP segment and recommends isolation. The IT operations shift supervisor objects: month-end closing is running until 6:00 a.m. The CISO is on the phone, but the incident policy only says coordinate and advise. The question of who is allowed to shut down the production system at 2:47 a.m. is the wrong time for a fundamental debate.

Key Takeaways

  • Expectation vs. Authority: The CISO is regarded as the security authority, yet in practice the mandate often ends at policy and advice. Without written authority, the loudest voice decides in an emergency.
  • Six Areas: Risk acceptance, policy exceptions, change approval, emergency isolation, budget and audit rights belong in the mandate with concrete thresholds.
  • Executive Management Remains Accountable: Section 38 BSIG and NIS2 Article 20 leave ultimate responsibility with executive management. The CISO acts under a delegated mandate that closes the gap.
  • Separate Reporting Line: Whoever is supposed to control IT operations should not report to it. BSI recommends direct assignment to top management.

Related:KRITIS Umbrella Act: When Resilience Becomes a CISO Obligation  /  Why the ISO Certificate Alone Is Not Enough for the BSI

Without a Written Mandate, the Loudest Voice Decides

What Is a CISO Mandate? A CISO mandate, often called a charter, is the written agreement between executive management and the CISO that defines their role, reporting line, decision and veto rights, escalation paths, and resources. It translates the abstract expectation “responsible for security” into concrete, enforceable authorities in an emergency.

Most organizations treat the CISO as the top security authority. In practice, however, the mandate often ends at strategy and policy, without operational enforcement rights. This gap between expectation and authority is not an isolated case; it is structurally built in.

The NIST Framework calls the core by name. The Governance, Roles and Responsibilities category in Cybersecurity Framework 2.0 requires that roles be equipped with the necessary authority. The revised guidance on Incident Response, NIST SP 800-61r3 from April 2025, states as a recommendation: Roles and responsibilities should be documented. Those involved need the authority to fulfill their tasks. The month-end closing versus isolation conflict is not a technical problem. It is a governance gap when the escalation chain is not documented in writing in advance.

Six Decision Areas That Belong in the Mandate

A mandate does not have to regulate everything. It must clarify in advance the conflicts that regularly escalate in day-to-day operations and during incidents. Six areas come up time and again.

Risk Acceptance with Thresholds. The CISO assesses risks and describes compensating controls. Final acceptance of business risk should not rest with them. The mandate sets thresholds, for example by severity, data classification, or process criticality, above which the business unit or executive management formally countersigns. The CISO’s signature confirms the accuracy of the security analysis. The business decision is not theirs.

Policy Exceptions. The CISO qualifies whether an exception is permissible, sets a time limit, and requires compensating measures. Silent continuation via tickets without documented acceptance must be ruled out. Where they reject, the path leads to escalation. A workaround is not an option.

Change Approval for Risky Deployments. IT operations wants to meet the release deadline; the CISO sees open findings or a missing penetration test approval. The mandate defines tiers: standard changes proceed without the CISO, high-risk changes require their approval or veto, a deadlock goes to executive management or a cyber committee.

Emergency Isolation. The most important sentence in the mandate. Who is allowed to separate network segments, lock accounts, and take production systems offline without prior approval from executive management and within what parameters. An active incident with confirmed compromise is a different case from mere suspicion. Precisely this boundary must be drawn in advance.

Budget and Resources. Not a blank check, but minimum authorities: a dedicated security budget, an approval threshold for emergency expenditures such as forensics or external support, and a say in security-relevant procurements. The BSI explicitly calls for sufficient resources and a direct reporting line for the security officer.

Audit and Review Rights. No visibility, no veto. The CISO needs read and audit access to logs, firewall rules, vulnerability reports, and backup-restore tests, independent of IT operations. This authority belongs in the mandate with time and legal limits, yet must be enforceable.

The following overview shows the pattern, without spelling out an entire RACI matrix.

Decision Who Decides Escalation on Deadlock
Final risk acceptance Business unit or executive management, CISO signs the analysis Executive management
Approve high-risk change CISO approval or veto Executive management or cyber committee
Isolate production system CISO or CSIRT in an active incident Immediate notification to executive management without prior approval
Policy exception CISO time-limited, with compensation Executive management if rejected by the business unit

CISO and CIO: Why the Same Reporting Line Hides the Conflict

Availability and security are two legitimate goals that regularly conflict. IT operations wants to deliver; the CISO wants to secure. When both roles sit in the same reporting line, IT leadership controls exactly what the CISO is supposed to control: patches, identities, logging, backup. This breaks the separation of duties.

BSI therefore recommends assigning the Information Security Officer (ISB) directly to top management to preserve independence. Integration into the IT department can create role conflicts. Governance analyses point in the same direction: Where the security function reports to IT leadership, information deficits and quiet self-interests easily arise in the chain.

The practical answer is not a status debate about whether the CISO belongs in the C-suite. It is an escalation rule: A professional deadlock between IT leadership and the CISO escalates to executive management within a defined time window. Executive management decides on the business risk; the CISO documents their security position; both are recorded in writing in the minutes.

The Legal Framework Draws the Line Between Responsibility and Authority

Laws and standards define management responsibility. They do not regulate the CISO’s operational decision-making powers. The mandate closes precisely this gap. Section 38 BSIG obliges executive management to implement risk management measures and monitor their implementation. In the event of a culpable breach of duty, they are liable under corporate law rules. NIS2 Article 20 sets out the same line at EU level: The management bodies approve the measures, monitor them, and can be held liable for violations.

BSI basic protection makes the consequence clear. Top management bears overall responsibility. Delegating operational tasks does not release them from it. This results in a clean division of roles: Executive management remains the ultimate decision-maker for risk acceptance and strategic trade-offs. The CISO receives delegated authorities for security operations, a veto in defined areas, and an escalation obligation. The order matters: The law does not specify which rights the CISO has. That is an organizational question. Therefore it must be answered in writing.

What Belongs in a CISO Mandate and Where to Start

A mandate is a compact contract between executive management and the CISO, not a 40-page policy bundle. Eight building blocks suffice: role and scope with clear boundaries versus the CIO and data protection, the reporting line with minimum frequency and unfiltered conflict reporting, decision authorities with thresholds, the enumerated veto rights, the escalation path with time window and availability, resources including emergency approvals, audit and enforcement rights, and a review cycle signed off by executive management.

Getting started requires no major reorganization. Three steps are enough to begin. First: answer the three incident questions in advance-who isolates, who notifies executive management and authorities, who may sacrifice availability. Second: record these answers identically in the mandate and the incident plan. Third: run the ERP segment isolation scenario once as a tabletop exercise, with IT leadership, the CFO, and executive management at the table, beyond the SOC. Anyone who has done this exercise will no longer argue about responsibilities at 2:47 a.m.

In very small organizations, the role sometimes coincides with IT leadership. Compensating measures are then required: a four-eyes principle, external reviews, and a direct reporting line to executive management during an incident, clearly time-limited. This is the second-best solution, but at least it is documented.

Frequently Asked Questions

Each question is closed. Tap to unlock the answer.

What is the difference between a job description and a CISO mandate?

A job description lists tasks and requirements. A mandate defines authorities: what the CISO may decide, where they have a veto, when they escalate, and which resources they are entitled to. In an incident, the mandate counts because it governs the authority to act.

Does the BSIG prescribe the rights a CISO has?

No. Section 38 BSIG regulates the responsibility of executive management. It does not regulate the CISO’s authorities. Which rights are delegated is an organizational decision. This is precisely why it must be made in writing; otherwise the gap between legal responsibility and operational action remains open.

Should the CISO report to the CIO?

BSI advises direct assignment to top management to preserve independence. Whoever is supposed to audit IT operations and, if in doubt, apply the brakes should not report to it. Where a direct line is not possible, at least an unfiltered escalation path to executive management is needed.

May a CISO shut down a production system on their own authority?

Only if the mandate permits it. A clearly defined authority for isolation in an active incident with confirmed compromise makes sense, combined with immediate notification to executive management. Without this written rule, the delay arises that is most costly in a real emergency.

How often should a mandate be reviewed?

At least annually and after every major security incident. An incident quickly reveals where authorities did not hold up in practice. Every review ends with a fresh signature from executive management so the mandate remains current and authorized.

Editor’s Reading Recommendations

Editor’s Picks

Editor’s PickWhy an ISO Certificate Alone Is Not Enough for the BSIEditor’s PickSupply Chain Risk Is a Program, Not an Audit ChecklistEditor’s PickKRITIS-Dachgesetz: When Resilience Becomes a CISO’s Mandatory Duty

More from the MBF Media Network

Digital ChiefsGeopolitics Meets the Data Center Roadmap: What CIOs Must Secure NowMyBusinessFutureEU AI Act from August 2026: What labelling obligations really affect SMEscloudmagazinXFS4IoT Meets the Cloud: The ATM Becomes a Platform

Further reading

News · July 2, 2026

When Attackers Are Faster Than the Patch

Between disclosure and exploitation of a vulnerability, only days often pass today. The State of Vulnerabilities Report 2026 reveals what matters now.

A magazine by Evernine Media GmbH