ISO 27001 Information Security - Clause 5.1 Leadership and commitment
11 May 2022 - ISO 27001 Information Security in plain English - Blog post #5.
With this article, we move into the standard's clause 5 which includes a number of requirements for top management. It's all part of ISO's initiatives to involve senior management in the ISMS and encourage the alignment of the system with other business activities.
ISO 27001 Information Security in plain English
Information Security is becoming critical to every business, and there is a fast-growing trend towards developing management systems based on the ISO 27001 standard. However, the subject and its terminology can certainly be a little daunting. So, we set out to cut through that in 'ISO 27001 Information Security in plain English' - a series of blogs articles that explains all clauses and controls in the standard.
5.1 Leadership and commitment
In the previous posts in this series, we looked at ISO 27001's clause 4 which is all about the context of your organization. Those posts are available from the blog menu if you would like to check them out. We now move on to clause 5 which is about leadership.
ISO 27001 is of course, based on the famous P-D-C-A cycle (Plan, Do, Check, Act) and clause 5 is still part of the P for Planning quadrant of that cycle. in this article we will be discussing clause 5.1 in particular - leadership and commitment.
For an ISMS to be really successful, it needs to be inspired and led from the top. Top management must take accountability for it, express their commitment, and give direction. In any sizeable organization, top management will not be able to attend to much of the day-to-day administration of the ISMS themselves. Other people may perform those roles, but they must be given leadership, support, and adequate resources to fulfill their task.
Genuine commitment to - and leadership of - an Information Security management system by top management will happen when there is a clear appreciation of a positive benefit / cost ratio.
So, what suggests genuine commitment to Information Security? Well, let's start with the Information Security Policy. This is the peak document of the ISMS - a declaration of intent - a mission statement if you like. An expression of commitment would be for a very senior person (such as MD / GM / CEO / CIO / CTO) to authorise the policy.
The Information Security Policy should be supplemented by setting some strategic objectives that are consistent with the wider aims of the organization.
Sure-fire evidence of commitment is when sufficient allocation of budget and resources is made for the system to achieve those objectives. Now, that's the core of this particular issue - sufficient allocation of budget and resources. Developing a good - and ever-improving - Information Security management system will take time and money. However, there is no free alternative.
ISO 27001 also requires top management to demonstrate their leadership of the ISMS. In our view, that was a very good move. It reinforced the need for top management to take accountability for the effectiveness of the ISMS and recognises the unique position of influence they hold.
The clause includes a list of bullet point items (marked a-h) that specify detailed requirements. It is easy to identify those that go beyond commitment to top management taking a hands-on approach and demonstrating leadership. In some of the bullet points, the requirements begin with: 'Top management shall ensure...'. In those cases, top management may just need to have enough commitment to provide the means (e.g. availability of time, money etc.) to ensure that someone else can make it happen.
However, in other cases, different verbs are used e.g. communicate, promote, support etc. These highlight that a direct involvement and leadership is expected.
A detailed discussion on these items is available in in ISO 27001 InfoSec Toolkit which is included in Qudos 3 IMS software.
Clearly, if top management genuinely demonstrate their leadership, others are more likely to follow, leading to a more inclusive ISMS that aligns well with everyday business activities.
The previous blog post in this series is ISO 27001 Clause 4.4 Information Security Management System.
The next blog in this series is on clause 5.2 Policy.
About the series 'ISO 27001 Information Security in plain English'
This blog post is part of a series where we will work through all the clauses and controls in ISO 27001. A great starting point for developing your ISMS.
This blog series began with an introductory webinar. A copy of the slide deck is available for you here:
Qudos_ISO_27001 Information_Security_in_plain_English (PDF)
Click the LinkedIn Follow button below to receive notifications.
There's nothing like word of mouth to share creative content. So, if you found this blog useful, please share it with a colleague or business associate.
Ready to start your journey to ISO 27001?
Qudos 3 IMS software includes an ISMS Overview template along with a wide range of tools to help you develop and maintain your management system faster, better and smarter.
The first step to commencing a management system based on ISO 27001 is to conduct a Gap Analysis. We can provide a qualified, experience certification auditor to perform a professional Gap Analysis service for you.
Contact us today to discuss your needs!