# Data Owners, Controllers, and Processors Backlink: [[Domain 1 - Index]] **Definition:** Roles accountable for data decisions (owner/controller) and operations (custodian/processor). ## Key Facts - Data owner: internal role assigning classification and access policies. - Controller: determines purposes/means of processing (legal role). - Processor: processes data on behalf of controller; bound by DPA. - Custodian: implements controls, backups, and access enforcement. - Contracts (DPA, SLA) define obligations and audits. - **Verify:** check official (ISC)² CBK and current exam outline. >[!tip] **Exam Relevance** - Map scenario actors to roles correctly - Identify who approves access and retention >[!note] **Mnemonic** - “Own decides; Process does.” ### Example Q: Cloud SaaS stores your customer data; which role? A: SaaS is processor; your org is controller. ## Revision Checklist - [ ] Define owner/controller/processor/custodian - [ ] Tie roles to classification and access - [ ] Know contractual artifacts (DPA) - [ ] Assign accountability in RACI ## Related [[Data Classification and Handling]] · [[Privacy Principles and Regulations]] · [[Service Level Agreements and Contracts]] · [[Third-Party and Supplier Risk Management]] · [[Security Roles and Responsibilities]] #cisSP #domain-1 #concept