ISO 27001:2022 Requirements: Clause 5.1 Leadership and Commitment

This version of clause 5.1 is applicable to both ISO 27001:2022 and ISO 27001:2013.

This clause requires top management to design and document policies and explicitly assign and support the ISMS roles and responsibilities. The involvement of top management regarding the ISMS is a core aspect of the ISO 27001 standard.

The top management of a company includes chief officers of the company, including the CEO, CFO, CTO, etc., the board of directors, and other senior stakeholders. The standard requires that top management must show ISMS and ISO 27001 leadership and commitment. This leadership and commitment should be demonstrated visibly to the rest of the organisation, setting the standard for the entire business.

What is leadership in ISO 27001?

So what does this leadership look like in the context of ISO 27001 in practical terms? It includes senior leadership and management of an organisation showing evidence of the following:

• Ensuring that the information security policies and objectives are in line with the organisational goals and strategies – senior leadership are ideally placed for this, having likely created the goals and strategies too;
• Integrating the ISMS into the organisational processes on every level to reach its optimum efficiency and impact across the organisation;
• Ensuring the availability of the proper resources for the implementation of the ISMS, in terms of software, training, people and time;
• Communicating the importance of the ISMS so that employees can fully appreciate its significance, understand it properly and adhere to its requirements;
• Achieving the intended outcomes which were decided when setting up the ISMS scope in clause 4.3. This is what the organisation wants to achieve through the ISMS;
• Guiding and supporting the personnel at different levels of the organisation affecting the ISMS, so as to increase efficiency and achieve the intended outcome(s) of the ISMS;
• Promoting the continual improvement of the ISMS, which is one of the requirements detailed in clause 4.4;
• Supporting other managerial roles to demonstrate their leadership.

Effective and involved leadership is needed to achieve the full potential of an organisation's ISMS. Top management should set the standard for an organisation, demonstrating leadership and commitment to the business’s ISMS.