My question is about roles and responsibilities in 27001. What do you think Management Representative's (MR) position in ISMS. If we have CISO, Do we still need MR. If we have both of them, what is the difference between their responsibilities.
Answer: The Management Representative is not a required role in the ISMS by ISO 27001, but an organization can assign one if it understands it can make its ISMS work better (for some scenarios, a person dedicated to the specific activities of the management system can better ensure and improve its results).
A CISO can assume the role of MR in an ISMS in case of need (if you have only ISO 27001 our recommendation would be to have only CISO.), but in organizations with multiple ISO management systems, maybe it is better to have CISO and MR as separated roles, because as MR must be competent on the requirements of the multiple management systems the organization has, the CISO is specialized in Information Security, and maybe overwhelmed by activities regarding other managements systems.