What is ISO 27001 Clause 5.1, how to write it and a downloadable ISO 27001 Clause 5.1 Template.
What is ISO 27001 Clause 5.1 Leadership and Commitment
There are many aspects of ISO 27001 that ISO templates can help with and indeed there are many ISO 27001 mandatory documents. Leadership and commitment is one area that you will need both the templates and to actually get management and leadership buy in. This is a top down approach. It has to be seen as a top down approach.
What is the actual requirement of Clause 5.1 and how to meet it
The actual requirement is that we need to be able to demonstrate leadership and commitment for the information security management system and the standard is pretty clear on what that means and what it wants to see. Leadership and commitment by:
ISO 27001 Clause 5.1 a) ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organisation
This is easy to satisfy
- Organisation Overview describes the business and its objectives and mission and values.
- The Information Security Management System document sets out the information security objectives.
ISO 27001 Clause 5.1 b) ensuring the integration of the information security management system requirements into the organisation’s processes;
Satisfy this by having information security policies in place and process operating in line with the standard. Specific evidence can be shown against each control.
ISO 27001 Clause 5.1 c) ensuring that the resources needed for the information security management system are available;
A quick win and straightforward to satisfy
- Information Security Roles Assigned and Responsibilities sets out the roles and responsibilities with allocated resource.
- ISMS Annex A Controls – Accountability Matrix assigns responsibility for each ISO 27002 / Annex A Control
ISO 27001 Clause 5.1 d) communicating the importance of effective information security management and of conforming to the information security management system requirements;
Communication can easily be evidence
- IS 06 Information Security Awareness and Training Policy sets out the training and awareness
- Communication Plan sets out the communications for the year across media and approaches
- Your training schedule demonstrates the training plan
ISO 27001 Clause 5.1 e) ensuring that the information security management system achieves its intended outcome(s);
- The Information Security Management System sets out the objectives. These are managed and reviewed at the Management Review Team meeting which is documented in the document: Information Security Roles Assigned and Responsibilities.
- The agenda template covers the requirements of the standard
- A program of internal audit is conducted and document: Audit Plan sets out the audit plan for the year.
- IS 15 Continual Improvement Policy sets out the continual improvement policy.
- Incident and Corrective Action Log captures and manages the corrective actions.
ISO 27001 Clause 5.1 f ) directing and supporting persons to contribute to the effectiveness of the information security management system;
- Employment contracts and third party contracts include coverage of information security requirements.
- Document: Competency Matrix captures the core competencies and training requirements of staff in relation to information security
- Document: IS 06 Information Security Awareness and Training Policy sets out the training and awareness and evidence was seen of the operation.
- Document: Communication Plan sets out the communications for the year across media and approaches
ISO 27001 Clause 5.1 g) promoting continual improvement;
- Document: IS 15 Continual Improvement Policy sets out the continual improvement policy.
- Document: Incident and Corrective Action Log captures and manages the corrective actions.
- Document: Communication Plan sets out the communications for the year across media and approaches
ISO 27001 Clause 5.1 h) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.
- Document: Information Security Roles Assigned and Responsibilities sets out the roles and responsibilities with allocated resource.
- A Management Review Team should be put in place with representatives from across the business.
- Document: Competency Matrix captures the core competencies and training requirements of staff in relation to information security
- Document: Communication Plan sets out the communications for the year across media and approaches
All part of the ISO 27001 Templates Toolkit but also available to download individually.
Summary
Getting this right is important. Without the leadership and the commitment the information security management system will fail. Think about why you are doing it and check that the management agrees. If they do not, or they see it has a burden then you are doomed to fail from the offset. It can be just a tick box exercise, to succeed, it really really should not be.