Clause – 5

Leadership

Overview:

The clause 5 of ISO/IEC 27001:2022 outlines the role of leadership in establishing, implementing, maintaining, and continually improving the Information Security Management System (ISMS). The clause further asserts the importance of Senior leadership team in setting the tone, providing the resources and aligning the ISMS with the organization’s objectives.

Implementation Guidance:

  1. Demonstrate Leadership Commitment:

Senior leadership plays a crucial role in the success of an ISMS in any organisation.

  1. Communicate the importance of ISMS to the entire organisation ( setting the tone)
  2. Aligning the Information Security Policy and ISMS with the organisational objectives
  3. Integrating ISMS into the organisation processes
  4. Providing the resources and support for the smooth functioning of the ISMS
  5. Ensure regular monitoring and provide feedback for continual improvement
  6. Communicate to the workforce the importance of ISMS and direct them to contribute to the effectiveness of ISMS 
  7. Support other relevant management roles in their areas of responsibility

2. Information Security Policy

    Top management shall establish an information security policy. The policy shall fulfil the following

    1. Provides a framework for setting information security objectives
    2. Reflect the purpose of the organisation
    3. Includes a commitment to continual improvement of the ISMS
    4. Commitment to satisfy applicable requirements related to information security

    The policy shall be:

    • Available as documented information 
    • Communicated to the workforce within the organisation
    • Made available to all the interested parties

    3. Organizational roles, responsibilities and authorities

      1. The top management should ensure that responsibilities and authorities for relevant roles related to information security are communicated within the organisation
      2. Assign responsibilities and authority to ensure that ISMS conform to requirements of ISO/IEC 27001:2022. This may include forming an information security team reporting directly to the CEO.
      3. Assign responsibilities and authorities to relevant stakeholders to report the performance of ISMS to top management.This may include forming an ISMS Steering Committee that reports the performance of ISM to the Top Management or a periodic basis.

      Examples and use cases:

      1. In an ITes organisation, the CEO schedules periodic meetings with the CISO and information security Team. The CEO discuss the following in the meeting;
      1. Current posture of Information Security in the organisation
      2. What are the Top 10 risks the organisation is facing?
      3. What are the new information security initiatives?
      1. A financial institution constitutes an information security team headed by the CISO directly reporting to the CEO.
      2. A global pharmaceutical company established a Global information Security Policy and enforced the same to all the offices and locations.

      Compliance Checklist:

      1. Information Security Policy document
      2. Management Review meeting minutes (demonstrates top management involvement)
      3. Document showing the organisational hierarchy with the information security roles. (structure of Information Security Steering Committee).
      4. Resource allocation records for ISMS (budget, staffing, tools)
      5. Document with Job descriptions of  key information security roles, their responsibilities and authorities
      6. Roles and responsibilities document describing security roles responsibilities and authorities for the workforce
      7. ISMS integration into business processes (e.g., project management guidelines, procedures etc. )
      8. Audit reports demonstrating ISMS conformity to ISO/IEC 27001:2022 requirements
      9. Records for demonstrating continual improvement

      Scroll to Top