Answer: ISO 27001 requires you to have at least the following roles:
- Top management who makes crucial decisions - typically this is the CEO
- A person who will be responsible for the implementation and maintenance of security - typically this is security officer, but this role could be performed by the CEO in a very small company
- Internal auditor who performs regular internal audits - this can be someone from within the company, or you can hire someone externally.
All the other roles you can define through your policies and procedures.