Leadership and Commitment in ISO 27001 is a relatively new control, situated under clause 5.1 of the system requirements. This article explores what is meant by leadership and commitment in ISO 27001, and how organisations can demonstrate this to auditors.
Firstly, let’s start by defining who should be responsible for demonstrating leadership and commitment in ISO 27001.
Top Management
“Top Management” is a term loosely used in ISO 27001:2013. It is often used in sentences such as “top management shall demonstrate leadership and commitment by…”.
But who are they referring to when they say top management? Can this be line managers, or does this have to be the CEO? In reality, this is down to the organisation and can depend on size, complexity, geographical location, structure and even how invested C-level are in security!
The point the standard is trying to make is that commitment for security must be driven from the top down. In an ideal world, security would be a board level issue and discussed at each board meeting without fail. In reality, this is often not the case. Either way, top management must have oversight and input into the requirements for the system and be able to demonstrate this.
How can Management demonstrate commitment?
There are a number of ways management can demonstrate commitment towards the ISMS, and towards security in general. Firstly, management must authorize and sign-off for the budget and resources to manage security effectively. This is not simply a matter of giving it to IT to perform alongside their primary function, there must clear dedication that security will be taken seriously, with dedicated personnel and reporting chains to the board.
Secondly, senior management must provide input to security policies and strategy. Objectives should be defined in liaison with the board so that controls can effectively manage data. As policies can vary greatly dependent on risk appetite, sector and legal/compliance requirements the board must communicate this to policy writers to ensure all personnel are operating in a manner aligned with the organisations overall direction.
For example, the board may wish to become best of breed as a service provider which in turn will require all systems to be available 100% of the time. This needs to be communicated in policy so IT can ensure sufficient controls are in place to make this a reality.
Finally, management can demonstrate commitment by complying with all policies themselves, and actively encouraging compliance to all personnel. It is no use defining policy requirements and then bypassing them as seniors – this is a poor example of leading by example!
The key points for this control are summarized below for ease of reference:
- Policy objectives must be set and communicated from the top down. Security requirements must be aligned with the organisations overall objectives.
- Senior management must dedicate sufficient budget and resources to security operations.
- Management must comply and actively encourage all personnel to comply with security policies. Exceptions for seniors does not set an effective security culture in the organisation.
