Fork me on GitHub

Culture and Organization -> Education and Guidance: Each team has a security champion

Risk and Opportunity

Risk: No one feels directly responsible for security and the security champion does not have enough time to allocate to each team.
Opportunity: Each team defines an individual to be responsible for security. These individuals are often referred to as 'security champions'

Additional Information

Implement a program where each software development team has a member considered a “Security Champion” who is the liaison between Information Security and developers. Depending on the size and structure of the team the “Security Champion” may be a software developer, tester, or a product manager. The “Security Champion” has a set number of hours per week for Information Security related activities. They participate in periodic briefings to increase awareness and expertise in different security disciplines. “Security Champions” have additional training to help develop these roles as Software Security subject-matter experts. You may need to customize the way you create and support “Security Champions” for cultural reasons.

The goals of the position are to increase effectiveness and efficiency of application security and compliance and to strengthen the relationship between various teams and Information Security. To achieve these objectives, “Security Champions” assist with researching, verifying, and prioritizing security and compliance related software defects. They are involved in all Risk Assessments, Threat Assessments, and Architectural Reviews to help identify opportunities to remediate security defects by making the architecture of the application more resilient and reducing the attack threat surface. Source: OWASP SAMM

Implementation hints

Usefulness and Requirements of this Activity

Usefullness: High
Required knowledge: Medium (two disciplines)
Required time: Low
Required resources (systems): Very Low


ISO27001 2017