So Clause 5 is called Leadership. ISO27001 is a very top down standard. You aren’t going to get very far without the support and buy – in from senior leadership. I know this because I used to work for a bunch of cowboy shysters who didn’t care about ISO27001, they just wanted the stamp.
There are just three sub clauses in this section.
5.1 – Leadership and commitment
As it suggests, how much do senior management care about ISO27001? Why are you doing it, how are the benefits promoted to the rest of the staff, how is info sec embedded in processes.
There’s actually no call for you to document this. An auditor will want to speak to a director or equivalent to ask them how they support and promote ISO27001 within the organisation. There’s no right or wrong answer but the lack of senior leadership of any description turning up doesn’t look good.
5.2 – Policy
You need an Information Security Policy. You need other policies as well but you need an over arching policy.
Company X is committed to maintaining the confidentiality, integrity and availability of our customer, supplier and staff data to the best of our ability at all times.
We will do this by adopting best practices, training our staff, investing in appropriate technology and continually improving our ISMS.
You can probably do better than that.
Note – People get policies and processes confused. I was told on my Certified Information Security Manager course that you need about a dozen policies but you can have as many procedures as you like. A policy sets out your principles, a process sets out how you are going to achieve those principles.
Its a good idea to have an Information Security policy on one page and have it signed by the Chief Executive. Print it out and have it on noticeboards.
5.3 – Organisational roles, responsibilities and authorities
Who does what and, crucially, who’s responsible for collecting performance data and reporting on it to senior management? You don’t actually have to document this in the ISMS but the auditor might well give you an Opportunity for Improvement to document it.
Recent Comments