1. Purpose of this Guide
This artefact proves that your company has clear reporting lines and responsibilities. Cyber Essentials requires this because, in a crisis, everyone needs to know who calls the shots. An organisational chart is like your battle map — showing who leads, who supports, and who reports where.
2. What You Will Submit
You will need:
-
An organisational chart that includes:
-
Leadership roles (e.g., CEO, Directors).
-
IT/security roles (e.g., IT Manager, Security Lead).
-
Operational teams (e.g., HR, Finance, Ops).
-
Reporting lines (who reports to whom).
-
3. How to Collect / Obtain / Generate This Evidence
For StrongKeep Customers (recommended):
-
Download StrongKeep's Organisational Chart Template.
-
Fill in your company’s staff names, job titles, and reporting relationships.
-
Save as PDF or PNG.
If building from scratch:
-
Microsoft PowerPoint / Word / Excel: Use SmartArt → Hierarchy → fill in roles.
-
Draw.io / Lucidchart / Canva: Use drag-and-drop hierarchy tools to design the chart.
-
Ensure clarity: don’t overload with every single intern — focus on structure and authority.
4. Evidence Format
-
Accepted file types: PDF, PNG, JPG, DOCX.
-
Suggested naming format:
YourCompanyName_OrgChart_YYYY-MM-DD.pdf
Example:AcmeCorp_OrgChart_2025-07-01.pdf
5. What “Good” Looks Like
-
Clear hierarchical structure with key roles shown.
-
Reporting lines visible (arrows/lines connecting roles).
-
Includes IT/security roles relevant to incident response.
-
Reflects the current state of your company (not outdated).
Why it matters: auditors want to see that your company won’t descend into chaos during an incident — everyone knows their role and who they report to.
6. Tips
-
Update the chart whenever leadership or IT/security roles change.
-
Keep it high-level — auditors don’t need every intern or contractor.
-
Pair this with your Incident Response Plan artefact to show who actually carries out each action.