CALL US 1-888-553-2256

The ISO 27001 & ISO 22301 Blog

Dejan Kosutic

Chief Information Security Officer (CISO) – where does he belong in an org chart?

Companies that start implementing an information security program, or specifically ISO 27001, very soon realize that they cannot do it without a person who would coordinate and manage such activities. But then they face the following dilemmas: Who should this person be responsible to? In which department should this person work? How to avoid conflict of interest?

Avoiding conflict of interest

blogpost-banner-27001-premium-en

One of the most important things in information security is to avoid conflict of interest, that is, to separate the operations from control and audit. Therefore, the same person cannot be both CISO and internal auditor. Similarly, the information security manager should not work in the IT department, although since this is very difficult to achieve in smaller organizations it is usually tolerated; however, for larger organizations such conflict of interest is not allowed, and some industries are heavily regulated in this respect.

Options for placing CISO in an organization

It doesn’t really matter if you call this person Chief Information Security Officer, information security manager, information security coordinator, or something similar – basically, there are three options for placing such person within an organization:

a) A separate function directly responsible to the CEO – this is the best option, but at the same time the most expensive. It means you have a person who is dedicated full-time to information security, a professional with lots of experience in this field. This is usually the case in larger companies.

b) A position within a department with no conflict of interest – this is the situation very often seen in companies like financial institutions, where the information security manager is placed within the Operational Risk department. This means you have a person that is dedicated full-time or part-time to information security, and is a part of a team dedicated to risk mitigation. Since this person doesn’t report directly to the CEO, you don’t need to have a top professional for such a position.

c) Information security as an additional role – this is a situation typical for smaller companies – for example, the IT manager is at the same time the information security coordinator. As mentioned before, it is very difficult to avoid conflict of interest in such organizations, but this is certainly the cheapest solution and often the only feasible one for smaller organizations which start ISO 27001 implementation.

As the company develops its information security management system, certainly the position and responsibilities of Chief Information Security Officer will have to change. But much more important than the formal position of this person, is to enable him or her to be in constant contact with both the business and IT sides of the organization, and to have enough authority to implement necessary changes.

To learn about the requirements of the standard, check out this Clause-by-clause explanation of ISO 27001.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

Leave a Reply

Your email address will not be published. Required fields are marked *

OUR CLIENTS

OUR PARTNERS

  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.