Roles for ISO 27k, how many layers are needed?

quite easily formalise additional roles if it needed. One single person might have more than one role.

Answer:

For such a small company you basically need only one additional role - a person who will coordinate the implementation of ISO 27001 (i.e. project manager), and this person can be at the same time the security manager (i.e. CISO). Of course, these roles can be performed by some of your existing employees, probably someone from the top management (it will take him/her perhaps 20% of the time).

All the other security roles will be included in the responsibilities of existing employee s/managers - e.g. for passwords or for the backup, the responsible person will be the person in charge of the IT. You should formalize those responsibilities throughout various ISMS policies and procedures.

These articles will also help you:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Who should be your project manager for ISO 27001/ISO 22301? https://advisera.com/27001academy/blog/2014/12/01/who-should-be-your-project-manager-for-iso-27001-iso-22301/
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- ISO 27001 Implementation Checklist: https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

Finally, you might be interested in this free online course: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/