Chief Information Security Officer (CISO) – where does he belong in an org chart?


Companies that start implementing an information security program, or specifically ISO 27001, very soon realize that they cannot do it without a person who would coordinate and manage such activities. But then they face the following dilemmas: Who should this person be responsible to? In which department should this person work? How to avoid conflict of interest?

Avoiding conflict of interest

One of the most important things in information security is to avoid conflict of interest, that is, to separate the operations from control and audit. Therefore, the same person cannot be both CISO and internal auditor. Similarly, the information security manager should not work in the IT department, although since this is very difficult to achieve in smaller organizations it is usually tolerated; however, for larger organizations such conflict of interest is not allowed, and some industries are heavily regulated in this respect.

Options for placing CISO in an organization

It doesn’t really matter if you call this person Chief Information Security Officer, information security manager, information security coordinator, or something similar – basically, there are three options for placing such person within an organization:

a) A separate function directly responsible to the CEO – this is the best option, but at the same time the most expensive. It means you have a person who is dedicated full-time to information security, a professional with lots of experience in this field. This is usually the case in larger companies.

b) A position within a department with no conflict of interest – this is the situation very often seen in companies like financial institutions, where the information security manager is placed within the Operational Risk department. This means you have a person that is dedicated full-time or part-time to information security, and is a part of a team dedicated to risk mitigation. Since this person doesn’t report directly to the CEO, you don’t need to have a top professional for such a position.

c) Information security as an additional role – this is a situation typical for smaller companies – for example, the IT manager is at the same time the information security coordinator. As mentioned before, it is very difficult to avoid conflict of interest in such organizations, but this is certainly the cheapest solution and often the only feasible one for smaller organizations which start ISO 27001 implementation.

As the company develops its information security management system, certainly the position and responsibilities of Chief Information Security Officer will have to change. But much more important than the formal position of this person, is to enable him or her to be in constant contact with both the business and IT sides of the organization, and to have enough authority to implement necessary changes.

To learn about the requirements of the standard, check out this Clause-by-clause explanation of ISO 27001.

Advisera Dejan Kosutic
Author
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.