Security organizations and security roles

Answer: This is not entirely true - you have to build an Information Security Management System, the term "Security organization" is not mentioned in the standard. See this article: What is an Information Security Management System (ISMS) according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/23/information-security-management-system-isms-according-iso-27001/

How important are the roles? For example Can a person title be “Network Engineer” and role be information security officer ? Is this understanding correct organization should have security roles reflected as HR title as well.

Answer: It is very important to clearly define roles and responsibilities - in smaller companies it does make sense to give a role of information security management to an employee who will perform this role together with his other regular duties. The standard doesn't require this, but you can give a title to this security role - e.g. Chief Information Security Officer, Information Security Officer, Security Manager, or similar.

See also these articles:
- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/