The SIRO should be a senior member of the company who takes responsibility for managing risks associated with the service(s) being provided by the company [often] into public sector organisations.
The SIRO should show strong governance of information security issues, having a comprehensive risk management programme covering the principles of:
It’s also important to address physical threats such as access to the organisation’s offices & facilities and staff training, along side technical IT controls such as encryption which all protect information in the organisation’s control.
However, it should be noted that ISO 27001 on its own will not always satisfy the purchasing body, and the organisation may need to meet additional requirements such as the NHS IG Toolkit or on-site verification audits.
ISO 27001 Information Security – www.assentriskmanagement.co.uk/iso27001
Choosing a Certification Body – www.certbodies.co.uk
ISO 27001 to NHS IG Toolkit Mapping – www.assentriskmanagement.co.uk/healthcare
Source: Assent People