Expert Advice Community

Guest

CISO

  Quote
Guest
Guest user Created:   Jan 26, 2021 Last commented:   Jan 26, 2021

CISO

¿La norma exige que se tenga dentro de la empresa un CISO (Responsable de Seguridad de la Información)?
¿Puedo tercerizar un CISO?
Sobre el plan de capacitación, ¿siempre es necesario presentar algún certificado para evidenciar un curso de capacitación?
¿Cómo evidenciar los cursos gratuitos donde no se tiene un certificado?
¿Los objetivos de Seguridad de información se pueden cambiar en cambiar en cualquier momento o se debe esperar un periodo de medición?
¿Si se cambia un objetivo de seguridad, un auditor me puede pedir la medición del antiguo objetivo?

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jan 26, 2021

1.  Does the standard require that a CISO (Information Security Manager) be within the company?

ISO 27001 does not require specific roles to be defined, only that relevant responsibilities related to information security be defined.

Considering that, a CISO is not mandatory for ISO 27001. You can delegate responsibilities for information security to already existing roles in your organization.

For further information, see:

2. Can I outsource a CISO?

ISO 27001 does not prescribe that personnel with roles related to information security need to be employees of the organization, so the CISO role can be outsourced. You only need to ensure that required roles and responsibilities are included in the contract or service agreement established with the outsourcer entity.

For further information, see:

3. Regarding the training plan, is it always necessary to present a certificate to demonstrate a training course?

ISO 27001 requires evidence of competence, which can be related to education, training, or experience.

Considering that, a certificate is one example of acceptable evidence for a training course, but you also can use a list of attendance (normally a certificate is used when the training is performed by an external provider, and a list of attendance is used for internal training courses).

For more information, see:

This material also can be of interest to you:

4. How to show the free courses where you do not have a certificate?

In these cases, you can take a print screen showing the results of the course (e.g., the screen with the final grade, or showing course completion), the attendee’s name, and date.

5. Can the Information Security objectives be changed at any time or should a measurement period be expected?

Normally, Information Security Objectives do not change before the first measurement but depending on the circumstances involving the need for change (e.g., a significative change in the organizational context), top management can review and define new Information Security Objectives.

For further information, see:

6. If a security objective is changed, can an auditor ask me to measure the old objective?

ISO 27001 does not prescribe that changed security objectives need to be measured, so the auditor cannot ask you to measure the old objective, but he can ask for information about the need to change the objective, to evaluate if it was changed based on a significant change in the organizational context.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 26, 2021

Jan 26, 2021

Suggested Topics

Guest user Created:   May 14, 2021 ISO 27001 & 22301
Replies: 1
0 0

CISO and document management

Guest user Created:   Aug 08, 2018 ISO 27001 & 22301
Replies: 1
0 0

CISO role