• (0)
    ISO-27001-ISO-22301-blog

    ISO 27001 & ISO 22301 Blog

    Chief Information Security Officer (CISO) – where does he belong in an org chart?


    Companies that start implementing an information security program, or specifically ISO 27001, very soon realize that they cannot do it without a person who would coordinate and manage such activities. But then they face the following dilemmas: Who should this person be responsible to? In which department should this person work? How to avoid conflict of interest?

    Avoiding conflict of interest

    One of the most important things in information security is to avoid conflict of interest, that is, to separate the operations from control and audit. Therefore, the same person cannot be both CISO and internal auditor. Similarly, the information security manager should not work in the IT department, although since this is very difficult to achieve in smaller organizations it is usually tolerated; however, for larger organizations such conflict of interest is not allowed, and some industries are heavily regulated in this respect.

    Options for placing CISO in an organization

    It doesn’t really matter if you call this person Chief Information Security Officer, information security manager, information security coordinator, or something similar – basically, there are three options for placing such person within an organization:

    a) A separate function directly responsible to the CEO – this is the best option, but at the same time the most expensive. It means you have a person who is dedicated full-time to information security, a professional with lots of experience in this field. This is usually the case in larger companies.

    b) A position within a department with no conflict of interest – this is the situation very often seen in companies like financial institutions, where the information security manager is placed within the Operational Risk department. This means you have a person that is dedicated full-time or part-time to information security, and is a part of a team dedicated to risk mitigation. Since this person doesn’t report directly to the CEO, you don’t need to have a top professional for such a position.

    c) Information security as an additional role – this is a situation typical for smaller companies – for example, the IT manager is at the same time the information security coordinator. As mentioned before, it is very difficult to avoid conflict of interest in such organizations, but this is certainly the cheapest solution and often the only feasible one for smaller organizations which start ISO 27001 implementation.

    As the company develops its information security management system, certainly the position and responsibilities of Chief Information Security Officer will have to change. But much more important than the formal position of this person, is to enable him or her to be in constant contact with both the business and IT sides of the organization, and to have enough authority to implement necessary changes.

    To learn about the requirements of the standard, check out this Clause-by-clause explanation of ISO 27001.

    Advisera Dejan Kosutic
    Author
    Dejan Kosutic
    Dejan holds a number of certifications, including Certified Management Consultant, ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, and Associate Business Continuity Professional. Dejan leads our team in managing several websites that specialize in supporting ISO and IT professionals in their understanding and successful implementation of top international standards. Dejan earned his MBA from Henley Management College, and has extensive experience in investment, insurance, and banking. He is renowned for his expertise in international standards for business continuity and information security – ISO 22301 & ISO 27001 – and for authoring several related web tutorials, documentation toolkits, and books.