My first question would be, whether it is necessary to always list a job title (e.g. CISO) or whether it is sufficient to list the name of the person in charge for that task. In our company for example we do not have the position of a CISO yet, is it necessary to create this position or can we just stick to the "name, surname"?
Answer: ISO 27001 does not require the CISO position, so you can designate any existing position in your organization to assume related information security responsibilities.
Regarding the use of name and surname, we recommend the use of role or job title, because if the person responsible for information security changes, you will have to change all related documentation to the new name, while by using the job title, in general you will have to change only the organizational chart. It is important to note that this recommendation is also valid to other roles you may define in your Information Security Management System.