The Ultimate Certification Guide to ISO 27001 Clause 5.1 Leadership and Commitment

What is ISO 27001 Clause 5.1 Leadership and Commitment?

There are many aspects of ISO 27001 that ISO 27001 templates can help with and indeed there are many ISO 27001 mandatory documents. Leadership and commitment is one area that you will need both the templates and to actually get management and leadership buy in. This is a top down approach. It has to be seen as a top down approach.

There are quite a few elements to this particular ISO 27001 clause so we will work through them.

What are the ISO 27001:2022 Changes to Clause 5.1?

There are no changes to ISO 27001 Clause 5.1 in the 2022 update.

What is the requirement of ISO 27001 Clause 5.1?

There are 8 specific requirements when it comes to leadership and commitment. This is a testament to how importantly the standard takes it.

The Clauses of ISO 27001 5.1

Let us take a look at each in turn:

ISO 27001 Clause 5.1 a) ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organisation

You will write your information security policy and your associated information security policies based on the needs of the business and the risks the business faces. These are defined as part of the process of building your information security management system (ISMS).

We ensure that our information security objectives are Specific, Measurable, Achievable, Realistic and Timely (SMART) and for each objective we clearly set out what the measures are. The information security objectives are recorded and communicated in the Information Security Policy and they are included as part of the structured agenda at the Management Review Team meeting for reporting and oversight.

Our company mission and values and who we are are recorded in the Organisation overview.

The Context of Organisation document plays a pivotal role in the creation of our objectives as we look at interested parties, their needs, internal and external issues that may influence the Information Security Management System (ISMS).

ISO 27001 Clause 5.1 b) ensuring the integration of the information security management system requirements into the organisation’s processes;

The concept of ‘if it is not written down it does not exist’ plays through ISO 27001 certification. The organisation processes are going to need writing down and formatting in documents with appropriate documentation mark-up and version control. Stating what we do and not what we think auditors want to hear is key here as we will be audited against what we say we do. If we don’t do what we say we do we will fail.

You will document your processes simply and you will pay attention to having at least one exception step. An exception step caters for the ‘what if’ scenario that the process does not work or go to plan. What if the change fails? What if the software update fails? What if the virus is not quarantined? You get the idea. Auditors will always seek this out and ask. It is a common audit failure where it has not been considered and documented.

Satisfy this by having information security policies in place and then write and align your actual processes to those policies. Don’t forget to document the processes of the in scope products and services. Policies are statements of what we do not how we do it. How we do it is covered in these process documents. The process steps recorded are very specific so that anyone, even someone who has never worked in this area before, can follow them and achieve the same and consistent result.

ISO 27001 Clause 5.1 c) ensuring that the resources needed for the information security management system are available;

The success of your ISO 27001 implementation and your ISO 27001 certification will hang on having the right resources available, allocated and engaged.

To lead the work you really should consider bringing in some specialist help. The knowledge and experience of someone how has done this many times before will pay dividends and stop you making costly mistakes and wasting a lot of time. If that is not an option for you then getting members of your team trained in ISO 27001 lead implementor or ISO 27001 lead auditor may be a viable option. This courses come with a word of caution though as they mainly booked based and generic in nature. They do not share the real world trials and tribulations of how you actually implement in your organisation.

Which ever route you go, having a resource to lead the implementation and certification is a requirement.

Then it is a case of understanding the ISO 27001 standard and the ISO 27001 Annex A controls (referred to as ISO 27002) and allocating members of your team to those controls. You do this by recording them in an ISMS Annex A Controls – Accountability Matrix which assigns responsibility for each ISO 27002 / Annex A Control.

It is ok that the work is carried out by a third party company but you must still assign internal responsibility for managing it and ensuring it gets done.

Working out who your information security leadership team is will be straightforward and you will implement a Management Review Team that will be responsible for the oversight of the information security management system (ISMS). The best way to work out who attends this is to have a senior representative from each department in the business plus ( if not already covered ) and member of the senior leadership team.

ISO 27001 Clause 5.1 d) communicating the importance of effective information security management and of conforming to the information security management system requirements;

Communication is expected at all levels, across all medium and has some very specific requirements. It can easily be implemented and evidenced.

It can take many forms. For example it will be part of any legal contracts that you have with suppliers and with clients as well as employees.

You will implement an Information Security Awareness and Training Policy that sets out the training and awareness for the company as well as deploying training tools that allow you to schedule your communications and include acknowledgement of understanding such as tests or quizzes that you can use to evidence your compliance. You will plan your training based on business need and business risk but you will do Basic Information Security Awareness Training and Basic Data Protection Training at least annually. You may tailor your training and communication to specific groups and sub groups based on their specific needs.

You will implement a Communication Plan that sets out the communications for the year across media and approaches. It will be a record and a plan of what was communicated, who communicated it, to whom they communicated it, what they communicated and how they communicated it and it will include the evidence the communication took place.

There may be other processes that involve communication that you will evidence. Here we think about off boarding an employee when they leave or due to termination where we want to communicate again their requirements under contract for information security and the expectations that we place on them.

ISO 27001 Clause 5.1 e) ensuring that the information security management system achieves its intended outcome(s);

The Information Security Management System (ISMS) sets out the objectives. These are managed and reviewed at the Management Review Team meeting which is documented in the document: Information Security Roles Assigned and Responsibilities.

The agenda template covers the requirements of the standard that includes the regular reporting and monitoring of the information security measures we have put in place for our information security objectives. Getting the measures right, and then recording and reporting on them is a primary approach to ensuring intended outcomes.

In addition we have an on going program of internal audit is conducted here our Audit Plan sets out the audit plan for the year. Internal audit is part of continual improvement, a founding principle of ISO 27001 you will implement the Continual Improvement Policy and associated processes. This process utilise the Incident and Corrective Action Log to capture and manage the corrective actions and improvements.

ISO 27001 Clause 5.1 f ) directing and supporting persons to contribute to the effectiveness of the information security management system;

We want people to contribute effectively and the way we do that is via communicating and supporting them. If we don’t tell people what is expected we can not expect them to do it. You will have employment contracts and third party contracts that include coverage of information security requirements.

You will have a Competency Matrix that captures the core competencies and training requirements of staff in relation to information security.

Your Information Security Awareness and Training Policy sets out the training and awareness and your training tool and package is used to manage the process and the compliance.

The Communication Plan sets out the communications for the year across media and approaches as discussed above.

ISO 27001 Clause 5.1 g) promoting continual improvement;

As discussed continual improvement is baked in and a core principle. This is not a one and done. The external audits will happen every year as will your ongoing internal audits. Incidents will happen that need managing. Deviations from policy and procedure will happen. New ways of working and new tools will be identified.

Your Continual Improvement Policy sets out the continual improvement policy and the Incident and Corrective Action Log captures and manages the corrective actions and improvements.

The Communication Plan sets out the communications for the year across media and approaches and your management review team oversees the entire continual improvement process.

ISO 27001 Clause 5.1 h) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.

You are starting to see a pattern that a small set of documents meets a lot of requirements. This because they have been intentionally written this way to provide the most efficient ISO 27001 implementation approach. The entire ISO 27001 toolkit is streamlined for efficient. For this sub clause the Information Security Roles Assigned and Responsibilities sets out the roles and responsibilities with allocated resource. A Management Review Team should be put in place with representatives from across the business. The Competency Matrix captures the core competencies and training requirements of staff in relation to information security. The Communication Plan sets out the communications for the year across media and approaches.

Summary

Getting this right is important. Without the leadership and the commitment the information security management system will fail. Think about why you are doing it and check that the management agrees. If they do not, or they see it has a burden then you are doomed to fail from the offset. It can be just a tick box exercise, to succeed, it really really should not be.