Answer: CISO should not assume the role of an internal auditor because that would be a conflict of interest according to ISO 27001 clause 9.2 e). Of course, CISO should be part of the ISO 27001 implementation team because this is the best way to make sure all the existing safeguards are integrated into the ISMS, and that the system will be maintained after the implementation is over. See also this article: What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
Plus, where in the documentation we should specify the CISO name?
Answer: ISO 27001 does not require you to mention names in the documentation, and we have decided not to use names in our documentation because when someone leaves the company this would require too much updating. If you want to, you can specify CISO's name i n his/her working contract.
In some cases, the security measures will be transferred to a third party. How to ensure third-parties have committed? Should an email be enough/should such a commitment be verified through auditing? What is the requirement/process as per the ISO standard and what if the third party doesn’t accept to comply with these security measures?
In the documentation, the simple risk assessment methodology was adopted. However, could you please provide more insight into the detailed risk assessment and the acceptable level of risk/criteria for accepting risks.