The CISO in ISO 27001<\/h2>\n
ISO 27001<\/strong> does not require a company to nominate a Chief Information Security Officer (CISO)<\/strong>, or any other person who would coordinate information security (e.g., Information security officer, Security manager, etc.).<\/p>\n However, ISO 27001<\/a> is written in such a way that it is applicable to companies of any size, in any industry, so requiring small companies to have a designated CISO would be overkill.<\/p>\n<\/div> Since ISO 27001 does not require the CISO, it does not prescribe what this person should do, either \u2013 so it is up to you to decide what suits your company the best. Generally, this person should coordinate all the activities related to securing the information in a company, and here are some ideas on what this person could do (divided by ISO 27001 sections):<\/p>\n CISO<\/strong> responsibilities are quite numerous and this person is involved in several very different areas of your company.<\/p>\n The larger the company, the more difficult it becomes to remember all these responsibilities, so depending on the size of your organization, you should produce one or several documents where you describe those. Some companies tend to list all the responsibilities of the CISO in a single document, but it isn’t very useful because it is difficult to understand someone\u2019s role without seeing the process it is part of.<\/p>\n Therefore, it is better to describe those responsibilities in several documents that detail those processes \u2013 for example, the CISO responsibilities<\/strong> related to human resources management should be described in the Human resource policy, responsibilities related to incidents in the Incident management procedure, etc…<\/p>\n<\/div> In smaller companies, the role of CISO<\/strong> should be performed by someone along with his\/her other duties \u2013 e.g., if you are a company of 10 employees, this could be done by your IT system administrator; if you have 100 employees this could be your IT manager. However, if your company has a couple of thousand employees, you should have at least one full-time person dedicated to this job, because it will consume this person full-time.<\/p>\n When selecting a person to be the CISO, your main criteria should not only be how knowledgeable this person is about information technology. It is even more important that this person knows the business processes in your company, and has good interpersonal skills.<\/p>\n Why is this? Because the main job of the Chief Information Security Officer should be developing a risk-based security culture in a company. Just as one of the underlying principles in all companies is that all the activities are to be made profitable, the CISO should develop a similarly embedded mindset with security: that all the business activities create a certain level of security risk, and that such risk must be mitigated with safeguards \u2013 so that business would gain benefits.<\/p>\n Many organisations do not have the resources to employ dedicated Information Security personnel or the existing IT team don\u2019t have the time to keep up with the constant flux of the threat landscape. ISO 27001 Solutions provides a \u201cCISO as a service<\/strong><\/a>\u201d offering which can give your business the ultimate service offering covering all information security requirements across the organisation. This service is the ideal choice when there isn\u2019t a full time requirement for a CISO or when the existing CISO can benefit from some assistance. The service is flexible and can be tailored to your business\u2019 needs.<\/p>\n<\/div><\/div><\/div> These Posts may also interest you :<\/p>\n<\/div>![](\"https:\/\/ismsalliance.com\/wp-content\/uploads\/2018\/12\/ciso-banner-1024x219.jpg\")
<\/a><\/span><\/div><\/div>What does the CISO do ?<\/h2>\n<\/div>
Compliance:<\/h3>\n
\n
Documentation:<\/h3>\n
\n
Risk management:<\/h3>\n
\n
Human resources management:<\/h3>\n
\n
Relationship with top management:<\/h3>\n
\n
Improvements:<\/h3>\n
\n
Asset management:<\/h3>\n
\n
Third parties:<\/h3>\n
\n
Communication:<\/h3>\n
\n
Incident management:<\/h3>\n
\n
Business continuity:<\/h3>\n
\n
Technical:<\/h3>\n
\n
How to document CISO responsibilities ?<\/h2>\n<\/div>
Who should be the CISO ?<\/h2>\n<\/div>
![\"\"](\"https:\/\/ismsalliance.com\/wp-content\/uploads\/2018\/12\/CISO-job.jpeg\")
<\/a><\/li><\/ul><\/div>![\"\"](\"https:\/\/ismsalliance.com\/wp-content\/uploads\/2018\/11\/ISMS-scoping-700x441.png\")
<\/a><\/li><\/ul><\/div>![\"\"](\"https:\/\/ismsalliance.com\/wp-content\/uploads\/2018\/11\/context-of-the-organization-ems-07-1-598x441.png\")
<\/a><\/li><\/ul><\/div>![\"\"](\"https:\/\/ismsalliance.com\/wp-content\/uploads\/2018\/11\/meeting-image-700x441.jpg\")
<\/a><\/li><\/ul><\/div>