When conducting an interview to assess an organization’s compliance with ISO 27001, it is important to interview members of senior management to understand the organization’s commitment to information security and its approach to implementing the information security management system (ISMS).
Some specific roles within senior management that you may want to consider interviewing include:
- The CEO or president: This person is responsible for the overall direction and strategy of the organization and will have a broad understanding of the organization’s approach to information security.
- The chief information security officer (CISO) or other information security leaders: These individuals are responsible for managing the organization’s information security program and will have a detailed understanding of the ISMS and how it is implemented.
- The chief financial officer (CFO) or other financial leaders: These individuals will have a good understanding of the organization’s financial resources and how they are allocated, including any resources dedicated to information security.
- The head of human resources (HR) or other HR leaders: These individuals will be responsible for managing the organization’s employee policies and procedures, including those related to information security.
- The head of legal or other legal leaders: These individuals will be responsible for managing the organization’s legal affairs and will have a good understanding of any legal requirements related to information security.
It is important to tailor the list of individuals to be interviewed to the specific needs of the organization. For example, if the organization is heavily reliant on third-party service providers, you may want to interview the individuals responsible for managing these relationships.