In cybersecurity, many problems don’t start with technology.
They start with confusion.
Confusion about who is responsible for what.
And in CISSP, this is one of the most tested concepts:
Data Owner vs Custodian vs User
Why This Matters
Most organisations assume:
“IT is responsible for data security.”
That’s only partially true.
Because CISSP separates:
- Decision-making
- Execution
- Usage
If you mix these up, you don’t just fail the exam.
You create accountability gaps in real life.
A Simple Analogy: The Bank Locker
Think of a bank locker.
- You own what’s inside
- The bank secures the vault
- Authorized people can access it
Now map this:
- You → Data Owner
- Bank → Custodian
- Authorized person → User
Each role is different.
Each has a specific responsibility.
Data Owner – The Decision Maker
The Data Owner is always from the business.
Responsibilities include:
- Classifying the data
- Defining sensitivity
- Deciding who can access the data
- Setting retention requirements
- Accepting risk
Key point:
The Data Owner is accountable.
They don’t implement controls.
They define what needs to be done.
Data Custodian – The Implementer
The Data Custodian is typically IT or operations.
Responsibilities include:
- Implementing security controls
- Managing storage and backups
- Enforcing access permissions
- Maintaining systems
Important distinction:
Custodians do not decide policy.
They execute what the Data Owner defines.
Data User – The Consumer
The User is anyone authorized to access data.
Responsibilities include:
- Using data appropriately
- Following policies
- Protecting credentials
- Avoiding misuse
Users don’t define access.
They follow it.
⚖️ The Core Difference
Let’s make this crystal clear:
- Owner → Decides
- Custodian → Implements
- User → Uses
Or even simpler:
- Owner defines access
- Custodian enforces access
- User complies with access
Why This Structure Matters
Without clear roles:
- Access decisions become inconsistent
- Security controls are misapplied
- Accountability becomes unclear
With clear roles:
- Governance improves
- Risk becomes manageable
- Security becomes structured
CISSP principle:
Accountability always belongs to the business.
How This Appears in the CISSP Exam
CISSP won’t ask:
“Who is a Data Owner?”
Instead, it will ask:
- Who should approve access?
- Who defines classification?
- Who is responsible for protection?
Correct thinking:
- Decision → Owner
- Execution → Custodian
- Usage → User
Key Takeaway
If you remember one concept, remember this:
Ownership is about accountability.
Custodianship is about execution.
🎧 Listen to the Podcast
This article is part of the CISSP Blog and Podcast Series – PK’s Chronicles.
The podcast episode explains this using real-world analogies and exam-focused scenarios in a simple, 10-minute format.
Search on Spotify:
PK’s Chronicles
Final Thought
Security is not just about controls.
It is about clarity of responsibility.
When roles are clear, decisions improve.
When decisions improve, security strengthens.
Until then—
Think roles.
Think accountability.
Think like a CISSP.
