Three Lines of Defence
OversightControl Statement
The roles and responsibilities of each of the three lines of defence and other stakeholders are clearly described within the cyber risk framework.
Description
The three lines of defence model is a governance structure that distinguishes between risk ownership (first line), risk oversight (second line), and independent assurance (third line). In the context of cyber risk, the first line comprises operational management and teams who own and manage cyber risks day-to-day. The second line includes risk management and compliance functions that provide oversight, set standards, and challenge the first line. The third line is internal audit, which provides independent assurance on the effectiveness of the first and second lines. Clearly documenting these roles within the cyber risk framework prevents gaps, overlaps, and accountability failures.
Key Implementation Activities
- 1 Document the roles, responsibilities, and accountability boundaries for each line of defence within the cyber risk framework
- 2 Define the first line's responsibilities for implementing controls, managing risk, and reporting on control effectiveness
- 3 Establish the second line's mandate for independent risk assessment, policy oversight, compliance monitoring, and challenge of first line activities
- 4 Ensure the third line (internal audit) has an independent mandate to assess the effectiveness of both first and second line cyber risk activities
- 5 Define coordination mechanisms and information flows between the three lines, including escalation protocols and reporting requirements
Evidence Examples
- Framework documentation with clear delineation of three lines of defence responsibilities for cyber risk
- RACI matrix showing activity ownership across the three lines for key cyber risk processes
- Internal audit charter or mandate referencing cyber risk coverage and independence requirements
- Second line oversight reports demonstrating independent review and challenge of first line activities
- Organizational governance documentation showing reporting lines that preserve second and third line independence
Maturity Levels
Lines of defence are not formally defined for cyber risk. Responsibilities overlap or have gaps. The second line may not have sufficient independence or mandate to challenge the first line.
The three lines model is formally documented and implemented for cyber risk. Each line has clear responsibilities, reporting requirements, and accountability. Independence of the second and third lines is structurally supported.
The three lines operate seamlessly with established coordination mechanisms. Effectiveness of each line is measured and reported. The model is regularly assessed and adapted to changes in organizational structure and risk profile.
Document Templates
Evidence Requirements View all evidence
| Type | Evidence Item | Frequency | Level |
|---|---|---|---|
| Document | Framework documentation with clear three lines of defence delineation | Reviewed annually | Required |
| Document | RACI matrix for cyber risk activities across all three lines | Reviewed annually | Required |
| Document | Internal Audit charter referencing cyber risk coverage and independence mandate | Reviewed annually | Required |
| Record | Second line oversight reports demonstrating independent review and challenge | Quarterly | Required |
| Record | Internal audit reports on cyber risk covering first and second line effectiveness | Per audit cycle | Required |
| Record | Organizational governance documentation showing reporting lines preserving independence | Current | Expected |