ISO 27001 Clause 5.1 Leadership and Commitment

ISO 27001 Leadership and Commitment

I am going to show you what Clause 5.1 Leadership and Commitment is, what’s new, give you ISO 27001 templates, an ISO 27001 toolkit, show you examples, do a walkthrough and show you how to implement it.

I am Stuart Barker the ISO 27001 Ninja and using over two decades of experience on hundreds of ISO 27001 audits and ISO 27001 certifications I show you exactly what changed in the ISO 27001:2022 update and exactly what you need to do for ISO 27001 certification.

What is it?

ISO 27001 Clause 5.1 Leadership and Commitment is and ISO 27001 Clause that looks to make sure you have the support and buy in of your leadership team.

Leadership and commitment is about having an information security management system (ISMS) that is driven and led from the top.

The focus for this ISO 27001 Clause is ensuring a top down approach. As one of the ISO 27001 controls this is about ensuring you have senior leadership buy in and support.

There are many aspects of ISO 27001 that ISO 27001 templates can help with and indeed there are many ISO 27001 mandatory documents. Leadership and commitment is one area that you will need both the templates and to actually get management and leadership buy in. This is a top down approach. It has to be seen as a top down approach.

There are quite a few elements to this particular ISO 27001 clause so we will work through them.

Purpose

The purpose of ISO 27001 Clause 5.1 Leadership and Commitment is to make sure that information security is driven from the top. Without this level of commitment and drive the information security management is doomed to fail. Giving this to IT to solve or devolving it to the lower ranks will see people not doing what they should do due to conflicting priorities.

Definition

The ISO 27001 standard defines ISO 27001 clause 5.1 as:

Top management shall demonstrate leadership and commitment with respect to the information security management system by:
a) ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organisation;
b) ensuring the integration of the information security management system requirements into the organisation’s processes;
c) ensuring that the resources needed for the information security management system are available;
d) communicating the importance of effective information security management and of conforming to the information security management system requirements;
e) ensuring that the information security management system achieves its intended outcome(s);
f) directing and supporting persons to contribute to the effectiveness of the information security
g) promoting continual improvement
h) supporting other relevant management roles to demonstrate their leadership as it applies to their

ISO27001:2022 Clause 5.1 Leadership and Commitment

Requirement

There are 8 specific requirements when it comes to leadership and commitment. This is a testament to how importantly the standard takes it. Read the implementation guide below to see exactly what they are how to quickly and simply meet the requirements.

Implementation Guide

Let us take a look at each requirement in turn. It seems daunting as there are a lot of words but it is actually really easy and straightforward to do.

Ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organisation

ISO 27001 Clause 5.1 a

You will write your information security policy and your associated information security policies based on the needs of the business and the risks the business faces. These are defined as part of the process of building your information security management system (ISMS).

We ensure that our information security objectives are Specific, Measurable, Achievable, Realistic and Timely (SMART) and for each objective we clearly set out what the measures are. The information security objectives are recorded and communicated in the Information Security Policy and they are included as part of the structured agenda at the Management Review Team meeting for reporting and oversight.

Our company mission and values and who we are are recorded in the Organisation overview.

The Context of Organisation document plays a pivotal role in the creation of our objectives as we look at interested parties, their needs, internal and external issues that may influence the Information Security Management System (ISMS).

Ensuring the integration of the information security management system requirements into the organisation’s processes

ISO 27001 Clause 5.1 b

The concept of ‘if it is not written down it does not exist’ plays through ISO 27001 certification. The organisation processes are going to need writing down and formatting in documents with appropriate documentation mark-up and version control. Stating what we do and not what we think auditors want to hear is key here as we will be audited against what we say we do. If we don’t do what we say we do we will fail.

You will document your processes simply and you will pay attention to having at least one exception step. An exception step caters for the ‘what if’ scenario that the process does not work or go to plan. What if the change fails? What if the software update fails? What if the virus is not quarantined? You get the idea. Auditors will always seek this out and ask. It is a common audit failure where it has not been considered and documented.

Satisfy this by having information security policies in place and then write and align your actual processes to those policies. Don’t forget to document the processes of the in scope products and services. Policies are statements of what we do not how we do it. How we do it is covered in these process documents. The process steps recorded are very specific so that anyone, even someone who has never worked in this area before, can follow them and achieve the same and consistent result.

Ensuring that the resources needed for the information security management system are available

ISO 27001 Clause 5.1 c

The success of your ISO 27001 implementation and your ISO 27001 certification will hang on having the right resources available, allocated and engaged.

To lead the work you really should consider bringing in some specialist help. The knowledge and experience of someone how has done this many times before will pay dividends and stop you making costly mistakes and wasting a lot of time. If that is not an option for you then getting members of your team trained in ISO 27001 lead implementor or ISO 27001 lead auditor may be a viable option. This courses come with a word of caution though as they mainly booked based and generic in nature. They do not share the real world trials and tribulations of how you actually implement in your organisation.

Which ever route you go, having a resource to lead the implementation and certification is a requirement.

Then it is a case of understanding the ISO 27001 standard and the ISO 27001 Annex A controls (referred to as ISO 27002) and allocating members of your team to those controls. You do this by recording them in an ISMS Annex A Controls – Accountability Matrix which assigns responsibility for each ISO 27001 Annex A Control.

It is ok that the work is carried out by a third party company but you must still assign internal responsibility for managing it and ensuring it gets done.

Working out who your information security leadership team is will be straightforward and you will implement a Management Review Team that will be responsible for the oversight of the information security management system (ISMS). The best way to work out who attends this is to have a senior representative from each department in the business plus ( if not already covered ) and member of the senior leadership team.

Communicating the importance of effective information security management and of conforming to the information security management system requirements

ISO 27001 Clause 5.1 d

Communication is expected at all levels, across all medium and has some very specific requirements. It can easily be implemented and evidenced.

It can take many forms. For example it will be part of any legal contracts that you have with suppliers and with clients as well as employees.

You will implement an Information Security Awareness and Training Policy that sets out the training and awareness for the company as well as deploying training tools that allow you to schedule your communications and include acknowledgement of understanding such as tests or quizzes that you can use to evidence your compliance. You will plan your training based on business need and business risk but you will do Basic Information Security Awareness Training and Basic Data Protection Training at least annually. You may tailor your training and communication to specific groups and sub groups based on their specific needs.

You will implement a Communication Plan that sets out the communications for the year across media and approaches. It will be a record and a plan of what was communicated, who communicated it, to whom they communicated it, what they communicated and how they communicated it and it will include the evidence the communication took place.

There may be other processes that involve communication that you will evidence. Here we think about off boarding an employee when they leave or due to termination where we want to communicate again their requirements under contract for information security and the expectations that we place on them.

Ensuring that the information security management system achieves its intended outcomes

ISO 27001 Clause 5.1 e

The Information Security Management System (ISMS) sets out the objectives. These are managed and reviewed at the Management Review Team meeting which is documented in the document: Information Security Roles Assigned and Responsibilities.

The agenda template covers the requirements of the standard that includes the regular reporting and monitoring of the information security measures we have put in place for our information security objectives. Getting the measures right, and then recording and reporting on them is a primary approach to ensuring intended outcomes.

In addition we have an on going program of internal audit is conducted here our Audit Plan sets out the audit plan for the year. Internal audit is part of continual improvement, a founding principle of ISO 27001 you will implement the Continual Improvement Policy and associated processes. This process utilise the Incident and Corrective Action Log to capture and manage the corrective actions and improvements.

Directing and supporting persons to contribute to the effectiveness of the information security management system

ISO 27001 Clause 5.1 f

We want people to contribute effectively and the way we do that is via communicating and supporting them. If we don’t tell people what is expected we can not expect them to do it. You will have employment contracts and third party contracts that include coverage of information security requirements.

You will have a Competency Matrix that captures the core competencies and training requirements of staff in relation to information security.

Your Information Security Awareness and Training Policy sets out the training and awareness and your training tool and package is used to manage the process and the compliance.

The Communication Plan sets out the communications for the year across media and approaches as discussed above.

Promoting continual improvement

ISO 27001 Clause 5.1 g

As discussed continual improvement is baked in and a core principle. This is not a one and done. The external audits will happen every year as will your ongoing internal audits. Incidents will happen that need managing. Deviations from policy and procedure will happen. New ways of working and new tools will be identified.

Your Continual Improvement Policy sets out the continual improvement policy and the Incident and Corrective Action Log captures and manages the corrective actions and improvements.

The Communication Plan sets out the communications for the year across media and approaches and your management review team oversees the entire continual improvement process.

Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility

ISO 27001 Clause 5.1 h

You are starting to see a pattern that a small set of documents meets a lot of requirements. This because they have been intentionally written this way to provide the most efficient ISO 27001 implementation approach. The entire ISO 27001 toolkit is streamlined for efficient. For this sub clause the Information Security Roles Assigned and Responsibilities sets out the roles and responsibilities with allocated resource. A Management Review Team should be put in place with representatives from across the business. The Competency Matrix captures the core competencies and training requirements of staff in relation to information security. The Communication Plan sets out the communications for the year across media and approaches.

ISO 27001 Templates

ISO 27001 templates have the advantage of being a massive boost that can save time and money so before we get into the implementation guide we consider these pre written templates that will sky rocket your implementation. Not interested in ISO 27001 templates, then you can skip to the next section.

The ISO 27001 Toolkit includes everything you need to demonstrate leadership and commitment, and satisfy the requirements of this clause.

How to pass the audit

To pass an audit of ISO 27001 Clause 5.1 you are going to make sure that you have followed the steps above in the implementation guide.

You are then going to conduct an internal audit, following the How to Conduct an ISO 27001 Internal Audit Guide.

What will the audit check?

The audit is going to check a number of areas for compliance with Clause 5.1. Lets go through them

1. An interview with senior leadership

Part of the audit process will be a series of interviews and at least one will be with senior leadership. Here they will ask questions about the information security management system. They will ask about the objectives for information security, when they last did a management review, where the policies are, if there are incidents in the last 12 months. This is a general interview but will catch you out if your senior leadership is not actually involved.

2. Your documentation

It is simple but they will check the required documents and processes of the information security management system (ISMS) that relate to leadership and commitment. This usually means the communication plan and communications sent, that management reviews have happened and you can evidence them. That all document and processes have been signed off and communicated. Work through the implementation guide above and be sure to complete it.

3. That you have resources

Part of leading and showing commitment is to have adequate resources in place to run the ISMS. Here they are looking at roles and responsibilities, the competency matrix, the training plan. Are people allocated to roles and do they have the skills to perform the tasks.

Top 3 Mistakes People Make

In my experience, the top 3 mistakes people make for ISO 27001 clause 5.1 are

1. Leadership are not engaged

It is easy to document roles and responsibilities and say leadership is engaged and committed but it is another thing for it to actually happen. If they pay lip service, come the audit and the interviews you will get caught out. Putting aside not having commitment means it is highly likely your ISMS isn’t actually effective and if you are responsible for it you are going to spend most of your career there frustrated.

2. You cannot evidence management reviews

The guides and toolkit give you the resources to address this but many organisations just don’t do reviews. Or when they do the wrong people attend making it ineffective. Be able to evidence management reviews that follow the structured agenda of the standard.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Summary

Getting this right is important. Without the leadership and the commitment the information security management system will fail. Think about why you are doing it and check that the management agrees. If they do not, or they see it has a burden then you are doomed to fail from the offset. It can be just a tick box exercise, to succeed, it really really should not be.

ISO 27001 clause 5.1 FAQ