Role of CISO

ISO 27001 does not prescribe the role of CISO but is generally accepted that as Chief Information Security Officer this person should be responsible for data and information protection regardless of the media it is.

These articles will provide you with further explanation about CISO:

• What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
• Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/

It would be interesting to also address the role of the DPO and the intersection with CISO, as private information is also information a CISO might want to protect, but he or she is most likely going to have to reckon with the DPO ;-)

Please note that considering ISO 27001, if private information is part of the Information Security Management System scope, the CISO will have to protect it anyway. The fact that the organization may need to be compliant with some legal requirements related to private information (e.g., EU GDPR) will only mean that there are additional requirements to be considered by the CISO for the protection of this kind of information.

In cases where all private information handled by the organization is part of the ISMS scope, the CISO may also be designated as the DPO.

In such scenarios, you may want to consider the use of ISO 27701 which defines requirements for a Privacy Information Security Management System. 

For further information, see:

• Relationship between ISO 27701, ISO 27001, and ISO 27002 https://advisera.com/27001academy/blog/2019/12/10/relationship-between-iso-27701-iso-27001-and-iso-27002/