Introduction
In this tutorial we will cover Leadership and Commitment.
You will learn what ISO 27001 Leadership and Commitment is and how to implement it.
Table of contents
ISO 27001 Leadership and Commitment
As a top down leadership led standard, for ISO 27001 you are going to make sure that top management can demonstrate leadership and commitment with respect to the information security management system.
That leadership and commitment will:
1. Ensure the information security policy and the information security objectives are established and are compatible with the strategic direction of the organisation.
2. Ensure the integration of the information security management system requirements into the organisational processes.
3. Ensure that the resources needed for the information security management system are available.
4. Communicate the importance of effective Information Security Management and of conforming to the information security management system requirements.
5. Ensure that the information security management system achieves its intended outcomes.
6. Direct and support persons to contribute to the effectiveness of the information security management system.
7. Promote continual improvement
8. Support other relevant management roles to demonstrate their leadership as it applies to their role and information security.
Implementation Guide
ISO 27001 is a top down leadership standard. It’s actually aligned with the majority of the ISO standards. They all follow a very similar format and if you’ve implemented other ISO standards such as ISO 9001 then a lot of what you will see here is going to be familiar to you. It may well be that you’re going to reuse what you have or just do a slight tweak.
You have to show and have to lead from the top. This isn’t driven by some guy or lady in IT, this isn’t driven by some information security person like me with their police hat on or their parent hat on telling you what it is that you need to do.
This has to be driven from leadership. It has to be driven from the top.
information security policy and objectives
You need to implement an information security policy with a set of topic specific policies. The policies are going to be statements of what you do and you use your policies to communicate to staff, employees, people, within your organisation, what it is that you do when it comes to information security.
Policies will also be used externally communicate to potential customers and existing customers what it is that you do for information security.
Next you will set out the process for establishing objectives and list what your objectives are.
integrate the information security management system requirements into the organisational processes
You ensure the integration of the information security management system requirements into the organisational processes.
For a smaller organisation it common that you have processes but they are not documented or they are documented but they just need a slight tweak.
It’s how you run your business.
The process need to be documented with process maturity and evidence of operation.
Ensure resources are available
The first resource you need is the information security management system. This is the ISO 27001 toolkit.
You’re going to need a management review team, an oversight body that has a structured agenda that it follows and it has some specific responsibilities associated with it.
You’re going to need to have an information security person who is going to have to be responsible for information security and the resources within the organisation to deliver it have to be made available.
There are a number of recommended documents to demonstrate this. There is the roles and responsibilities document that sets out all the roles and responsibilities and it states what those responsibilities are. You just allocate people to it.
Communicate
You are going to communicate the importance of an effective information security management system and of conforming to the manage system requirements. There are a number of different ways that to demonstrate that from a leadership point of view.
For a detailed run through read ISO 27001 Clause 7.4 Communication
achieve its intended outcomes
To achieve its intended outcomes you need to have some objectives.
Common examples –
- implement a culture of security and awareness,
- management of the supply chain
- achieve ISO 27001 certification
Objectives should be SMART – specific, measurable, achievable, realistic, timely.
Once you have objectives you will measure those objectives. Examples of how include
- through the management review team meeting
- operational security meetings
- an annual update and review
Direct and support people
You will direct and support people to contribute to the effectiveness of the management system via
- Policies
- Training
- Communication
- Competency Management and Competency Matrix
Promote continual improvement
Implement continual improvement – further reading – ISO 27001 Clause 10.1 Continual Improvement
Supporting management roles
Support other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.
Examples of how to support other management roles include:
- competency matrix
- training plans
- communication plans
- management review meeting
- top-down communication
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
