ISO 27001 Information Security - Clause 5.1 Leadership and commitment

5.1 Leadership and commitment

In the previous posts in this series, we looked at ISO 27001's clause 4 which is all about the context of your organization. Those posts are available from the blog menu if you would like to check them out. We now move on to clause 5 which is about leadership.

ISO 27001 is of course, based on the famous P-D-C-A cycle (Plan, Do, Check, Act) and clause 5 is still part of the P for Planning quadrant of that cycle. in this article we will be discussing clause 5.1 in particular - leadership and commitment.

For an ISMS to be really successful, it needs to be inspired and led from the top. Top management must take accountability for it, express their commitment, and give direction. In any sizeable organization, top management will not be able to attend to much of the day-to-day administration of the ISMS themselves. Other people may perform those roles, but they must be given leadership, support, and adequate resources to fulfill their task.

Genuine commitment to - and leadership of - an Information Security management system by top management will happen when there is a clear appreciation of a positive benefit / cost ratio.

Commitment

So, what suggests genuine commitment to Information Security? Well, let's start with the Information Security Policy. This is the peak document of the ISMS - a declaration of intent - a mission statement if you like. An expression of commitment would be for a very senior person (such as MD / GM / CEO / CIO / CTO) to authorise the policy.

The Information Security Policy should be supplemented by setting some strategic objectives that are consistent with the wider aims of the organization.

Sure-fire evidence of commitment is when sufficient allocation of budget and resources is made for the system to achieve those objectives. Now, that's the core of this particular issue - sufficient allocation of budget and resources. Developing a good - and ever-improving - Information Security management system will take time and money. However, there is no free alternative.

Leadership

ISO 27001 also requires top management to demonstrate their leadership of the ISMS. In our view, that was a very good move. It reinforced the need for top management to take accountability for the effectiveness of the ISMS and recognises the unique position of influence they hold.

The clause includes a list of bullet point items (marked a-h) that specify detailed requirements. It is easy to identify those that go beyond commitment to top management taking a hands-on approach and demonstrating leadership. In some of the bullet points, the requirements begin with: 'Top management shall ensure...'. In those cases, top management may just need to have enough commitment to provide the means (e.g. availability of time, money etc.) to ensure that someone else can make it happen.

However, in other cases, different verbs are used e.g. communicate, promote, support etc. These highlight that a direct involvement and leadership is expected.

A detailed discussion on these items is available in in ISO 27001 InfoSec Toolkit which is included in Qudos 3 IMS software.

Clearly, if top management genuinely demonstrate their leadership, others are more likely to follow, leading to a more inclusive ISMS that aligns well with everyday business activities.

The previous blog post in this series is ISO 27001 Clause 4.4 Information Security Management System.

The next blog in this series is on clause 5.2 Policy.