I have a question, the CISO shall be mandatory under the CEO of the company in the structure of the company or is fine to be also under the COO ? According to the ISO27001 where is stated to be placed the CISO? We are under ISO27001 implementation and we have this debate and I want to understand if we are ok with that . From my perspective if the CISO has the right budget and profile in the organisation to make the things according to the standards can be as well under the COO.
Answer: ISO 27001 does not prescribe the role of CISO for implementation of an ISMS. The standard requires the definition and assignment of responsibilities related to information security, but not to a specific role, nor its position on organizational chart. Considering that, you can define any existing role, or create a new one, to assume the responsibilities for information security, provided it can fulfill them, but as closer its position gets to CEO the better, because the communication of information security needs and results will be faster.