ISO 27001 Leadership and Commitment – Tutorial

Home / ISO 27001 Tutorials / ISO 27001 Leadership and Commitment – Tutorial

Introduction

In this tutorial we will cover Leadership and Commitment.

You will learn what ISO 27001 Leadership and Commitment is and how to implement it.

ISO 27001 Leadership and Commitment

As a top down leadership led standard, for ISO 27001 you are going to make sure that top management can demonstrate leadership and commitment with respect to the information security management system.

That leadership and commitment will:

1. Ensure the information security policy and the information security objectives are established and are compatible with the strategic direction of the organisation.

2. Ensure the integration of the information security management system requirements into the organisational processes.

3. Ensure that the resources needed for the information security management system are available.

4. Communicate the importance of effective Information Security Management and of conforming to the information security management system requirements.

5. Ensure that the information security management system achieves its intended outcomes.

6. Direct and support persons to contribute to the effectiveness of the information security management system.

7. Promote continual improvement

8. Support other relevant management roles to demonstrate their leadership as it applies to their role and information security.

Implementation Guide

ISO 27001 is a top down leadership standard. It’s actually aligned with the majority of the ISO standards. They all follow a very similar format and if you’ve implemented other ISO standards such as ISO 9001 then a lot of what you will see here is going to be familiar to you. It may well be that you’re going to reuse what you have or just do a slight tweak. 

You have to show and have to lead from the top. This isn’t driven by some guy or lady in IT, this isn’t driven by some information security person like me with their police hat on or their parent hat on telling you what it is that you need to do.

This has to be driven from leadership. It has to be driven from the top.

information security policy and objectives

You need to implement an information security policy with a set of topic specific policies. The policies are going to be statements of what you do and you use your policies to communicate to staff, employees, people, within your organisation, what it is that you do when it comes to information security.

Policies will also be used externally communicate to potential customers and existing customers what it is that you do for information security.

Next you will set out the process for establishing objectives and list what your objectives are.

integrate the information security management system requirements into the organisational processes

You ensure the integration of the information security management system requirements into the organisational processes.

For a smaller organisation it common that you have processes but they are not documented or they are documented but they just need a slight tweak.

It’s how you run your business.

The process need to be documented with process maturity and evidence of operation.

Ensure resources are available

The first resource you need is the information security management system. This is the ISO 27001 toolkit.

You’re going to need a management review team, an oversight body that has a structured agenda that it follows and it has some specific responsibilities associated with it.

ISO 27001 Management Review Team Meeting Agenda Template

You’re going to need to have an information security person who is going to have to be responsible for information security and the resources within the organisation to deliver it have to be made available.

There are a number of recommended documents to demonstrate this. There is the roles and responsibilities document that sets out all the roles and responsibilities and it states what those responsibilities are. You just allocate people to it.

Communicate

You are going to communicate the importance of an effective information security management system and of conforming to the manage system requirements. There are a number of different ways that to demonstrate that from a leadership point of view.

For a detailed run through read ISO 27001 Clause 7.4 Communication

achieve its intended outcomes

To achieve its intended outcomes you need to have some objectives.

Common examples –

  • implement a culture of security and awareness,
  • management of the supply chain
  • achieve ISO 27001 certification

Objectives should be SMART – specific, measurable, achievable, realistic, timely.

Once you have objectives you will measure those objectives. Examples of how include

  • through the management review team meeting
  • operational security meetings
  • an annual update and review

Direct and support people

You will direct and support people to contribute to the effectiveness of the management system via

  • Policies
  • Training
  • Communication
  • Competency Management and Competency Matrix

Promote continual improvement

Implement continual improvement – further reading – ISO 27001 Clause 10.1 Continual Improvement

Supporting management roles

Support other relevant management roles to  demonstrate their leadership as it applies to their areas of responsibility.

Examples of how to support other management roles include:

  • competency matrix
  • training plans
  • communication plans
  • management review meeting
  • top-down communication

DO IT YOURSELF ISO 27001

All the templates, tools, support and knowledge you need to do it yourself.

ISO 27001 Leadership and Commitment – Training Video