Information security organization

Answer:

ISO 27001 does not prescribe how an organization should implement its information security structure, so organizations are free to develop the frameworks that most suit them, e.g.:
- Create specific roles to handle information security functions (e.g., security analyst to perform security requirements identification, an incident manager to handle incidents, etc.)
- Designate information security functions to already existing roles (e.g., Quality manager to assume the information security management reporting to top management, an IT analyst to handle incidents, etc.)

Criteria to decide which roles create or accumulate security function may be related to the size of the organization, available resources, legal requirements, etc.

This article will provide you further explanation about information security organization:
- Where does information security fit into a company? https://advisera.com/27001academy/blog/2016/10/24/where-does-information-security-fit-into-a-company/

These materials will also help you regarding information security organization:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/