We have a question regarding the team that needs to implement and maintain the ISMS as defined in section 4.4 of "05_Information_Security_Policy_27001_EN".
We also want this team members to be able to approve requests like for example in "09.01_IT_Security_Policy_27001_EN" for installing software, running java, to name just a few.
We don't want only one person to approve this, whether it is the IT manager or the CTO.
We are a 50-user *** company.
It does not make sense to me that the executive team be the one in charge of the above since our case it is a small team of mostly non-technical users.
We thought of creating a 3-person team (maybe call it "IT Team" or another name if you have a better idea) that includes the CTO, IT Manager and the Head of Engineering. This team already meet weekly to discuss these matters, so I thought of officially putting it in our ISMS documentation.
Do you think that is a good idea?
Is it in-line with the standard?
If so, is it best described in "05_Information_Security_Policy_27001_EN"?