This clause requires top management to design and document policies, explicitly support and assign the ISMS roles and responsibilities. The involvement of top management regarding the ISMS is a core aspect of the ISO 27001 standard. The top management of a company includes chief officers of the company including the CEO, CFO, CTO etc., board of directors and other senior stakeholders. The standard requires that top management must show ISMS leadership and commitment. This includes management:
- Ensuring that the information security policies and objectives are in line with the organisational goals and strategies;
- Integrating the ISMS into the organisational processes on every level to reach its optimum efficiency;
- Ensuring the availability of the proper resources for the implementation of ISMS;
- The management must communicate the importance of the ISMS so that the employees can understand it properly and adhere to its requirements;
- Achieving the intended outcomes which were decided when setting up the ISMS scope. This is what the organisation wants to achieve through the ISMS;
- Guiding and supporting the personnel affecting the ISMS so to increase efficiency and achieve the intended outcome(s) of the ISMS;
- Promoting continual improvement of the ISMS;
- Supporting other managerial roles to demonstrate their leadership.
Effective and involved leadership is needed to achieve the full potential of the organisation's ISMS.