CISO role in ISO 27001 implementation, suppliers and other questions

Answer: CISO should not assume the role of an internal auditor because that would be a conflict of interest according to ISO 27001 clause 9.2 e). Of course, CISO should be part of the ISO 27001 implementation team because this is the best way to make sure all the existing safeguards are integrated into the ISMS, and that the system will be maintained after the implementation is over. See also this article: What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/

Plus, where in the documentation we should specify the CISO name?

Answer: ISO 27001 does not require you to mention names in the documentation, and we have decided not to use names in our documentation because when someone leaves the company this would require too much updating. If you want to, you can specify CISO's name i n his/her working contract.

In some cases, the security measures will be transferred to a third party. How to ensure third-parties have committed? Should an email be enough/should such a commitment be verified through auditing? What is the requirement/process as per the ISO standard and what if the third party doesn’t accept to comply with these security measures?

Answer: You should define third-party security obligations in the agreement that you're signing with them, and when these security clauses are really important, you can use audits to verify if they are compliant. If your supplier doesn't want to apply security clauses, then you should consider changing the supplier. This article will also help you: 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

In the documentation, the simple risk assessment methodology was adopted. However, could you please provide more insight into the detailed risk assessment and the acceptable level of risk/criteria for accepting risks.

Answer: Instead of assessing the likelihood, you can assess the level of threats and vulnerabilities; instead of impact you can assess separately the impact on confidentiality, integrity and availability. So instead of assessing 2 items (impact and likelihood), you can assess 5 items. This article might also be helpful: ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/