Management Representative and Information Security Officer for ISO27001

A

Affour

#1
Need some clarification...
Is the appointment of MR for ISO27001 ISMS compulsory?
What differentiate MR and Information Security Officer in term of their roles?
Can a person be appointed for both MR and IS Officer? And at the same time the same person is also the MR for other management systems.:confused:
 

Richard Regalado

Quite Involved in Discussions
#2
Need some clarification...
Is the appointment of MR for ISO27001 ISMS compulsory?
What differentiate MR and Information Security Officer in term of their roles?
Can a person be appointed for both MR and IS Officer? And at the same time the same person is also the MR for other management systems.:confused:
Hi Affour. Excellent question.

There is no requirement for an MR (management representative) for ISO/IEC 27001 unlike other standards such as ISO 9001 and BS 25999.

In fact the word "representative" appears only once in the standard and only on Control A.6.1.2 Information security coordination wherein it is required (if you implement this control) that you have representatives from various parts of your business coordinating information security activities.

In my practice, I normally nominate what I call an ISMR (information security management representative) who will be responsible for the ISMS much like a QMR (circa ISO 9001:1994) is responsible for QMS.

In some organizations, the ISO (or the CISO) is also the ISMR. What is important is that the roles and responsibilities are defined (see control A.6.1.3).

Yes an MR can also be the ISO (information security officer).
 
A

Affour

#3
Thanks for your info.
With the appointment of ISMR do you still need to appoint ISO/CISO?
Does the ISO/CISO had to be someone who is technically knowledgable in the IT facilities within the ISMS scope?
 
R

RAVINDER KUMAR DUDI

#4
Idon't think So. Becouse besic need for iso/ciso is excellence in security management systems. MR issue is totally seprate and diffrent. However one question always remains "Who looks on implementation part"?..
 

Top Bottom