For a new startup , we are hiring a CISO. At the same time we need help with the implementation of ISO 27001 as well. Is it fair to expect a CISO to implement new ISO policies, procedures, training, asset risks and risk maps. On a scale of 1-100, we are about 30 in terms of implementation. Question is do we still need a consultant for implementation. We are about to interview candidates for CISO, What can we ask him to convince ourselves that he can do both. Do they generally come with the implementation skill or they would be asking for an additional consultant
Appreciate some feedback on this. I enjoy reading your book a lot.