CISO

1.  Does the standard require that a CISO (Information Security Manager) be within the company?

ISO 27001 does not require specific roles to be defined, only that relevant responsibilities related to information security be defined.

Considering that, a CISO is not mandatory for ISO 27001. You can delegate responsibilities for information security to already existing roles in your organization.

For further information, see:

• How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

2. Can I outsource a CISO?

ISO 27001 does not prescribe that personnel with roles related to information security need to be employees of the organization, so the CISO role can be outsourced. You only need to ensure that required roles and responsibilities are included in the contract or service agreement established with the outsourcer entity.

For further information, see:

• What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/

3. Regarding the training plan, is it always necessary to present a certificate to demonstrate a training course?

ISO 27001 requires evidence of competence, which can be related to education, training, or experience.

Considering that, a certificate is one example of acceptable evidence for a training course, but you also can use a list of attendance (normally a certificate is used when the training is performed by an external provider, and a list of attendance is used for internal training courses).

For more information, see:

• How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

This material also can be of interest to you:

• Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

4. How to show the free courses where you do not have a certificate?

In these cases, you can take a print screen showing the results of the course (e.g., the screen with the final grade, or showing course completion), the attendee’s name, and date.

5. Can the Information Security objectives be changed at any time or should a measurement period be expected?

Normally, Information Security Objectives do not change before the first measurement but depending on the circumstances involving the need for change (e.g., a significative change in the organizational context), top management can review and define new Information Security Objectives.

For further information, see:

• ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

6. If a security objective is changed, can an auditor ask me to measure the old objective?

ISO 27001 does not prescribe that changed security objectives need to be measured, so the auditor cannot ask you to measure the old objective, but he can ask for information about the need to change the objective, to evaluate if it was changed based on a significant change in the organizational context.