CISO role vs ISO 27001 implementer
For a new startup , we are hiring a CISO. At the same time we need help with the implementation of ISO 27001 as well. Is it fair to expect a CISO to implement new ISO policies, procedures, training, asset risks and risk maps. On a scale of 1-100, we are about 30 in terms of implementation. Question is do we still need a consultant for implementation. We are about to interview candidates for CISO, What can we ask him to convince ourselves that he can do both. Do they generally come with the implementation skill or they would be asking for an additional consultant
Appreciate some feedback on this. I enjoy reading your book a lot.
Assign topic to the user
In general, a CISO is a seasoned professional that has already been involved in information security management systems implementation (as a team member or project manager). For small companies (up to 50 employees) you can expect a CISO to manage the ISMS implementation. For bigger companies, you should consider designating additional personnel (e.g., other employees or an external consultant) due to the volume of work to be performed.
About questions for the candidate, you can ask about his previous experience with implementation projects and his suggestion about how to implement it in your organization.
For further information, see:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- What to look for when hiring a security professional https://advisera.com/27001academy/blog/2016/02/15/what-to-look-for-when-hiring-a-security-professional/
Comment as guest or Sign in
Mar 07, 2023