Can your organization successfully implement the ISO 27001 standard if its leadership isn’t committed to getting it done? The answer, of course, is no, but it goes beyond the reasons you might expect.
Any new effort is bound to fail if leadership isn’t behind it, but the ISO 27001 standard actually requires leadership to formally commit. In this piece, you’ll learn why leadership commitment is so important and how it can be demonstrated for purposes of complying with ISO 27001.
Clause 5.1 of the ISO 27001 standard is called leadership and commitment. It requires top management of your organization to demonstrate their leadership and commitment to building and maintaining an effective Information Security Management System, or ISMS. There are eight specific requirements that leadership must follow:
They need to ensure that the information security policy and security objectives are established and that they align with the strategic direction of the organization.
The ISMS requirements are integrated into the organization’s processes. The resources needed for the ISMS are available. The importance of an effective ISMS and the importance of following ISMS requirements is communicated to the organisation. The ISMS is achieving its intended outcomes.
The people who are responsible for implementing the ISMS are directed and supported. Continual improvement of the ISMS is promoted within the organization.
And other relevant management roles are supported to contribute to the effectiveness of the ISMS. This clause is specifically designed to avoid situations where an organisation’s leadership say they want to be secure or comply with ISO 27001, but don’t follow through with the necessary actions and resources to get it done. The eight leadership and commitment requirements are very clear and easy to measure if they are being followed.
A great way to demonstrate compliance with this clause is by writing a statement of management commitment to security document and getting it signed by the leader of your organization. This statement of management commitment can be a simple one-page document stating that your organisation is committed to doing what is necessary to protect information.
If your organisation is sincerely committed to do that, your leader should have no problem signing it. Organisational management has to be committed to doing what it takes to protect information.