hi I’m the ISO 27001 Ninja and this is going to be ISO 27001 Clause 5.1 Leadership and Commitment. This is going to be your ultimate guide. What is it? What do you need to do to satisfy it? What are the common mistakes that you make? What is an auditor going to look for? How do you pass? Part of our series in making you successful in ISO 27001 certification.
Table of contents
Watch
Implementation Guide
ISO 27001 Leadership and Commitment Definition
We’re going to start with the definition. The definition is – top management shall demonstrate leadership and commitment with respect to the information security management system.
Now there are eight points here, eight points where leadership is going to demonstrate its level of commitment. You think it’d be easy right? oh yeah, yeah, we just satisfy it right? Yeah? but there’s at least eight things that they’re looking for to see that you’ve done. Let’s go through them.
1. Ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organisation. Easy for you to say.
2. Ensuring the integration of the information security management system requirements into the organisational processes.
3. Ensuring that the resources needed for the information security management system are available.
4. Communicating the importance of effective Information Security Management and of conforming to the information security management system requirements.
5. Ensuring that the information security management system achieves its intended outcomes.
6. Directing and supporting persons to contribute to the effectiveness of the information security management system.
7. Promoting continual improvement
8. Supporting other relevant management roles to demonstrate their leadership as it applies to their role and information security.
That is ISO 27001 Clause 5.1. It’s the 2022 definition of the standard. There’s a lot to go at.
DO IT YOURSELF
ISO 27001
Top Down Leadership Standard
ISO 27001 is a top down leadership standard. It’s actually aligned with the majority of the ISO standards now. They all follow a very similar format and actually, if you’ve implemented things like 9001 or other ISO standards, a lot of what you see here is going to be familiar to you and potentially you’re going to reuse it or just do a slight tweak. So you might have some benefits if you’ve already got that as a leadership system.
We have to show and we have to lead from the top. This isn’t driven by some guy or lady in IT, this isn’t driven by some information security person like me with their police hat on or their parent hat on telling you what it is that you need to do. This has to be driven from leadership, it has to be driven from the top.
You have to want it. You have to drive it.
You have to show that you’re committed to it. This is the only way that we’re going to get an effective information security system.
Let’s have a little look then and let’s go through the eight points in a little bit more detail.
ensuring the information security policy and the objectives are established and are compatible with the direction of the organisation
So let’s look at ensuring the information security policy and the objectives are established and are compatible with the direction of the organisation. Alright, so when it comes to the implementation of ISO 27001, you’ve watched my YouTube videos many many times. Many of you have already purchased the ISO 27001 Toolkit, everything that you need for the management system including this, is in there. Now if you don’t buy it the things that I’m going to mention, the trigger words, the key words, the artefacts that I’m going to talk about, I actually have blogs on and I have videos on my YouTube about how you can manually create them yourselves. So, I’m not even going to leave you high and dry, I’m not just selling at you, but when we’re looking at our information security policy we need a policy and we actually need a set of policies. The policies are going to be statements of what we do and we use our policies to communicate to staff, employees, people, within our organisation, what it is that we do when it comes to information security. We also use our policies externally, externally, we use our policies to communicate to potential customers and existing customers what it is that we do for information security.
We separate out from that the processes, the processes and statements of how, and we separate those out because we don’t want to include confidential information and process stats within documents that are potentially going to be publicly or semi- publicly available. So we’re going to need our policies, all of the policies are available pre-written, ready to go, you’re also going to need your objectives.
Now within the management system and within the ISO 27001 toolkit, and my advice is to you and the way that I do it is, I set out my process for establishing my objectives. I explain how we do that and I document that and then I set out a table and I have a template that sets out the objectives themselves.
Information security objectives, especially for a small organisation, somebody starting out from scratch, are common and that’s why a have been able to pre populate that for you and give you that Head Start. Many people just take that and run with it but you might want to just take that and adapt it but those, those, objectives exist, the objectives are what is it that we need from the information security management system, who’s going to do it, what are they going to do, what are they going to do, when are they going to do it by. Things like the Milestones. All that good stuff is in there.
So, you’re going to create that, you’re going to create your management system, you’re going to create your policies, you’re going to set out what your objectives are, you’re going to create your organisational overview, you’re going to describe within documentation about who you are, you’re going to describe within there your context of organisation, all of the good things that we’ve covered in Clause 4, the four parts of Clause 4, each of the videos, you’re going to have all of that documented, so internal and external issues, interested parties, defining your scope, all that good stuff is going to be in there.
Ensuring the integration of the information security management system requirements into the organisational processes.
For part two we ensure the integration of the information security management system requirements into the organisational processes, we’ve got to tie this in with our organisational processes, and again this is part of one of the stumbling blocks, I think for a smaller organisation, either you have processes but they are not documented or they are documented but they just need a slight tweak to satisfy the requirements of information security as written out within the policies, that that that we provided to you, that meet the requirements of the standard but you’ve got to make sure that you’re tying that in. Information security management system absolutely is a management system that can kind of be semi independent of your organisational operations but when it comes to the annex a implementation, the control implementation, they’re deep within your business, they are your business. It’s how you run your business. So you’re going to be going through and you’re going to be making sure that that is tied in with there.
Ensuring that the resources needed for the information security management system are available.
The next one is ensuring the resources needed for InformationSecurity Management are Available. Okay small business challenge, you don’t want to pay, you don’t want to get the resources, there are ways around it, I go through it in ISO 27001 Clause 5.1 Leadership and Commitment – Ultimate Certification Guide and I go through it within the ISO 27001 toolkit, about how you do it but fundamentally you need to demonstrate somehow, somewhere, that you have the resources available to do this thing. There’s a couple of resources that you’re going to need.
You’re going to need a management review team, an oversight body that has a structured agenda that it follows and it has some specific responsibilities associated with it and we’ll cover that in another topic but that requires people to be part of it, and we do cover that and we will come to that.
You’re going to need to have an information security person, internal, external, contractor, consultant, part-time person, somebody internally you’ve sent on a course, somebody who’s read a blog or watched the YouTube video but somebody is going to have to be responsible for information security, and then resources within the organisation to deliver it have to be made available, you’ve got to make people available within their day job todo the implementation but then to do the ongoing running of that.
There’s a number of documents that we would recommend and that I provide for you that can help to demonstrate this. So, there is the roles and responsibilities document that sets out all the roles and responsibilities and it says what those responsibilities are and you just allocate people to it. You have a roles and responsibilities document for the information security management system.
You have a management review team that follows a structured agenda and has responsibilities and you just allocate people to that, so you’re demonstrating that you’re making people available to it. You have an accountability matrix, some people call it a rasci matrix. In the template, I actually give you two versions of it, I give you a full RASCI, you know for those of you that are a little bit more mature in your processes and need that level of detail or I give you a high level one but the premise remains the same, we list out all of the Clauses within ISO 27001 we list out all of the controls within ISO 27002 and we allocate somebody to be responsible for them. Whether the doing is done internally or not, whether the doing is done by somebody who isn’t the person who’s accountable, whether the doing is done by a third party supplier, somebody in our organisation is allocated to that clause and that control. The accountability stops with them but what we’re demonstrating is that people are, and resources have been made available. So there’s many different ways that you can do it. For more detail on that please do go and have a check out the blog but that is the high level approach to it.
Communicating the importance of effective Information Security Management and of conforming to the information security management system requirements.
The next section, that from a leadership point of view is, we’ve got to communicate the importance of an effective information security management system and of conforming to the manage system requirements. Now there’s a number of different ways that we’re going to demonstrate that from a leadership point of view.
There are some standard things like having a communication plan. Again, I provide you a communication plan pre populated with common communications that you’re going to want to do but you’re going to have a communication plan, kind of communications that you do, your management review meeting is a communication, right? You’re going to be sending out communications and regular updates about where policies are, who’s responsible for information security, how people raise an incident.
You’re going to have a training program, that may be within a tool, so your communication plan may be supplemented by a training tool that has a training schedule within it and as part of that you’re going to be doing things like annual information security training, annual data protection training, annual gdpr training and all of that training is going to be tracked. It’s going to have a quiz at the end of it to clarify understanding. You’re going to push them through that and have records of everybody having done that. There may be additional training modules that you want to do right based on your business. If you’re fully remote you may want to do a remote working module, if you’re suffering from phishing attacks on a regular basis you might want to roll out a phishing training tool, you might want to supplement that with phishing awareness communications, you might want to do a phishing test.
So, there are lots and lots of ways that we can communicate the importance and the effectiveness of information security.
We can include it within our board updates, our quarterly updates, our Town Hall meetings, our team meetings, our company away days. There are many points that we touch with our employment base and with our supplier base where we can be communicating that.
Then of course there are more structured approaches to communicating these things such as contracts of employment, supplier contracts that will stipulate things within there and potentially set out the consequences of not adhering to certain things within our management system, such as disciplinary action or ending of contracts. So again I give you that on the blog – ISO 27001 Clause 5.1 Leadership and Commitment – Ultimate Certification Guide, have a look at the blog and go through the detail within it and it’s all included within the templates and the toolkit but we’re communicating that importance, we’re communicating that ,and, we’re communicating what’s going to happen if we don’t adhere to it. So we’re pushing that through.
Ensuring that the information security management system achieves its intended outcomes.
We’re going to ensure that the information security management system achieves its intended outcomes. To achieve its intended outcomes we need to have some objectives, I mean we need to know what those outcomes are, so, again whether you’re using my template say or not, you’ve got to list out what your objectives are. What is it that this information security management system is going to do?
Common examples that I provide to you are things like – implement a culture of security and awareness, nice, and high level but again I can give you the breakdown of how you would go about achieving that and measuring that within the templates and within the blog um. What else is there? The management of the supply chain, securing our supply chain to reduce the risk of supplier breach affecting us.
To achieve ISO 27001 certification and meet our Legal, Regulatory and client requirements there are a number of objectives that you can implement and ideally what you want to do is use your old methodology of SMART – specific, measurable, achievable, realistic, timely. Things that are outside that are coming in from a business perspective but we want objectives that are realistic and SMART as discussed. We want to have those objectives, we want to be measuring those objectives, not just annually, not just dusting them off when it comes to the external audits but we’re going to be measuring them on a regular basis and there’s different ways we can do that. We can do that through the management review team meeting. In my management review agenda, as part of my template, I always have the objectives within the management review meeting minutes so that they are reviewed at every single management review meeting. If you follow my guidance, you’re having a management review meeting every month, at worst case every 3 months. So they’re being regularly reviewed. I implement a, I implement a process of operational security so I drive operational security meetings once a week and I would include it within the minutes of that. You might want to then have an annual update where you include it in that. Many opportunities for you to review your progress against these objectives but make sure that you’ve got them documented and you’re reviewing process against them.
Directing and supporting persons to contribute to the effectiveness of the information security management system.
Directing and supporting persons to contribute to the effectiveness of the management system, again, leadership has to be supporting these people in role. How can we do that?
We can do that by having a competency matrix for the people involved in the information security management system. We can run a competency matrix. A competency matrix just lays out people, the kinds of skills and experiences that we might expect them to have and then demonstrates and records that they have it. It is also useful and used for planning and to identify gaps within our knowledge and the gaps that we require within our experiences but we can have a competence matrix.
Obviously we’ve got our information security awareness, we’ve got our information security training. You’re probably going to be doing one to one training, you’re going to be helping these people with job and role specific training and potentially encouraging them to take the security elements of that security, eg if you’re in coding, security modules related to coding, security in project management, security in change management, so we’re going to support people and provide them with resources so that they can be effective in their role.
We are going to roll out policies that say what we do and we’re going to communicate those policies in a way that people understand them so that we can help them to achieve their role and help us to achieve our objectives.
Promoting continual improvement
The next thing we’re going to do is we’re going to promote continual improvement. Promoting continual improvement, what do we need for that? We need a continual improvement policy, so I give you a continual improvement policy and I give you a continual improvement process. I show you exactly how you need to do. There is a blog on it on the website that’s for free and it is included within the templates.
Continual Improvement is baked into the standard, you know nothing is ever perfect and there are no numerous different ways when we get to continual improvement which is a clause later on in the series, I will talk you through the different steps that are involved in that and how we can achieve that.
Supporting other relevant management roles to demonstrate their leadership as it applies to their role and information security.
Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility, again, competency matrix, communication plans, management review meeting in top-down communication, all of that is baked in and built in for us to be able to achieve that, to achieve that outcome, so what you can see, there is there is, quite a lot really when it comes to leadership and ISO 27001 and you would not expect that such a throw away comment. Leadership actually is probably the hardest to engage, you know, in most organisations they don’t give a **** do they? I mean do they realistically? I mean they’ve given it to you, right? You’re doing it and you know how much difficulty it is to get any budget or money out of them. Probably that’s why you’re here and doing it for free, but it is very, very important and when it comes to the audit there are a number of areas that they will check.
Things an auditor will check
So let’s give you some value add, what are the things that an auditor is going to look for and what is an auditor going to check. Many of them, let’s do top three.
So the first one, an interview with senior leadership – they’re going to interview these people, they’re going to interview them, they’re going to ask them, they’re going to ask them about what was their involvement in the information security management system and it’s implementation. What was their involvement and is their involvement in an ongoing basis. They’re going to ask them for things like, okay guys where are the policies? Where are your procedures? When did you last have a management review meeting? What did you discuss? What were the topics? They’re going to ask them, what’s your biggest risk? What’s your biggest information security risk? When was the last time you reviewed your risks? So they’re going to have a conversation with senior leadership to understand their level of involvement in that. Now, whether or not it’s you as somebody like me prepping them and. telling them what they’re going to be asked or not, or doing it the right way, let’s do it the right way and they are actively involved in it they’re going to get interviewed right on audit.
Secondly is going to check your Documentation. They’re going to make sure that all of these things that we’ve been just discussing about the eight points above, communication plans, competency matrixes, roles, and responsibilities documented, policies, that are documented, they’re going to be checking that all of that is in place and they’re going to be looking through that and the Version Control and the classification and all that good housekeeping that goes with it and they’re going to be looking to make sure you’ve got resources, and this can be a tricky one, I mean if you’ve got a competency matrix that says nobody in your organisation has knowledge, experience, or training in ISO 27001, it is usually a major Nonconformity, I mean how can you be running a project and running it effectively if nobody understands it or is experienced in it? So, whether you’re satisfying that by having a third- party supplier, either on demand, or, whatever, on retainer or however you’re managing it you’ve got to make sure that you’ve got the resources in place. The very very basic resources, let alone the resources within the organisation following the processes that you’ve now implemented.
The top mistakes people make
Let’s have a look, this is a long one today, hopefully you’re still with me but I’m hopefully adding in some value so now we’re going to lookat the mistakes that people make. What are the top three mistakes that people make for Clause 5.1?
You can guess number one? Number one is leadership are not engaged. I mean it’s the number one mistake anybody that comes to me and says can you help me with ISO 27001. If they don’t have any level of leadership buy in, if they’re like, oh well, I don’t really have any budget, oh, they don’t, we just kind of need it but we, we, don’t want to pay for it – I’m like – I can’t help you. I can’t help you. If it’s somebody driving it from within information security or IT, and I say, but have you got the ear of the board? or leadership? what’s their appetite? oh no. It’s an up hill battle. I’m always struggling to get resources, I can’t help you. I can’t help you because you’re on a hiding to nothing so the number one mistake that people make is leadership are not engaged.
Number two is you cannot evidence your management reviews. Again, if you’re trying to do this on the slide, people don’t want to do their management reviews, they don’t want to minute them, they don’t want to document them. Follow my advice – management review, structured agenda, every single month up to and including your certification and throughout year one.
So many benefits which we’ll cover when we get to that clause and then number three is your housekeeping around your documentation which I cover all the time and I don’t need to do here.
Conclusion
Be sure to subscribe to my ISO 27001 YouTube Channel, I am very needy, I need followers but you’re going to be in a good company as videos are watched tens of thousands of times and we we’re approaching thousands of followers on there. Now, I look forward to talking to you and educating you and sharing my knowledge and wisdom.
I am Stuart Barker. I am the ISO 27001 Ninja. That was ISO 27001 Leadership and Commitment and I will see you on the next one but for now peas out.