Organizational chart - ISMS
I am the Quality Manager at *** and I am in charge of implementing ISO 27001 in the company. For this purpose, we have purchased the ISO 27001 Toolkit from Advisera, exactly ISO 27001 Documentation Toolkit English (with extended support).
In our case, we have a question that we would like to clarify with you, as we are sure you have seen more cases like this in many other companies.
*** is a small company (around 20-30 people) that is in a growth and expansion phase (in the next few years). As we are a manufacturer of custom-made medical devices, we have a Quality Management System according to ISO 13485 (applicable to medical device manufacturers) in place in the company.
Now, in defining and implementing ISO 27001 using the materials provided by Advisera, we see that there are many overlapping aspects between ISMS and QMS.
In all the material that Advisera provides in the ISO 27001 toolkik you mention the figure of the CISO or Information Security Manager. In *** all these tasks are being managed by the QARA Manager, which is me in this case.
Does ISO 27001 require the presence of a CISO or an Information Security Manager in the organizational chart?
What are the roles that must appear in the organizational chart by ISO 27001 requirement and that we should include in the current *** organizational chart?
Could all these roles be covered by Spentys’ current QARA Manager?
What do you recommend in this regard?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1 - Does ISO 27001 require the presence of a CISO or an Information Security Manager in the organizational chart?
This role is not prescribed by the standard, so you can designate any existing role in your organization, or create a new one, to perform activities generally performed by the CISO/Information Security Manager.
For further information about the CISO, see:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
2 - What are the roles that must appear in the organizational chart by ISO 27001 requirement and that we should include in the current *** organizational chart?
Besides top management and internal auditor, ISO 27001 does not specify any other roles for information security, so you can include any specific role you consider relevant.
3 - Could all these roles be covered by *** current QARA Manager?
I’m assuming that by QARA you mean Quality Assurance & Regulatory Affairs.
Considering that, provided that the QARA manager has the competencies needed to perform the roles relevant to information security, this person can assume these roles.
4 - What do you recommend in this regard?
Roles and responsibilities generally designated to a CISO are very similar to those of a QMS manager:
- ensuring that the ISMS conforms to the ISO 27001 requirements
- reporting on the performance of the ISMS to top management
Considering that these management activities can be designated to the QARA.
However, some security roles may require expertise in other areas that may require to be performed by other roles (e.g., network security, performed by an IT analyst).
Comment as guest or Sign in
Sep 29, 2022