Management Representative in ISO 27001:2013

Answer: There is no mandatory requirement to establish a management representative in ISO 27001:2013, so the decision to define this role is up to the organization, considering its context, requirements and the information security structure the will best serve its objectives. Sometimes, this management representative role is performed by the CISO (Chief Information Security Officer).

This article will provide you further explanation about CISO role in ISO 27001:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/

These materials will also help you regarding CISO role in ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27 001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/

Thank you for your quick answer.
If I use both roles (MR and CISO), which position should be higher? And which one is more suitable to prepare procedures and policy? Which one should approve?

There is no universal rule about which role should be in a higher position (e.g., both can answer to top management, CISO may answer to MR, both can answer to other different roles in the organization, etc.), so you have to evaluate your organizational context to define which case is more adequate to your organization.

Regarding policies and procedures elaboration, both roles are required to have competency in elaborating policies and procedures, with CISO specialized in information security requirements and the MR specialized in management system requirements (in an ISMS with no MR, the CISO has to cover both information security and management system requirements).

As for documentation approval, generally policies and procedures which have overall impact on the organization are approved by top management (e.g., quality policy, information security policy, procedure for control of documents and records, etc.), specific information security related policies and procedures are approved by CISO, and other policies and procedures are approved by the MR.

These articles wi ll provide you further explanation about CISO and document management:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//

This material will also help you regarding document management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/