The CISO (Chief Information Security Officer) is the executive responsible for an organization’s information security. The role encompasses ISMS governance, reporting to top management, and coordinating all security measures.
ISO 27001 Clause 5.3 (Roles, Responsibilities and Authorities) requires that ISMS responsibility is clearly assigned — the CISO is the typical occupant of this role. In smaller organizations, the function is often fulfilled by the IT manager or an information security officer. Organizational independence is critical: the CISO should not report to the IT manager to avoid conflicts of interest between operations and security. Typical duties include risk management, policy development, awareness, incident coordination, and audit support.