Most IS best-practices advocate a separation of concerns between management and direction. The IS team are responsible for managing and auditing compliance with IS policy. The Risk Committee are responsible for providing direction to the management of information risk within the business. While the Head of Information Security, heads and owns all IS related policies/tasks reporting into the CTO. The CTO is ultimately responsible for the information security.