ISO 27001: How Important is Management Buy-In?
Depending on your experience when you were a kid, you may have had to get your parent’s permission to do certain things—typically, big events, like sleepovers or school field trips. Without their okay, it wasn’t happening. (Or, if you circumvented them, things likely didn’t end up well when they found out.)
If you’re an organization seeking ISO 27001 certification, it’s a very similar dynamic, just with a little more to it. Of course, you’ll need the sign-off of top management to receive the budget necessary to build your information security management system (ISMS), but in fact, leadership support is also critical in terms of the standard’s requirements.
As an ISO certification body that routinely assesses organizations working to achieve certification for this very popular compliance initiative, we’ve seen organizations underestimate the importance of this facet of ISO 27001, and we don’t want you to fall into the same trap.
That’s why, in this article, we’ll break down both the significance of leadership regarding security in general, as well as how top management within your organization must factor particularly into your ISO 27001 certification for it to be successful.
As it may have been with your parents when you were young, your organizational higher-ups may take some convincing and/or wheedling—read on for further understanding that will help you in getting them on board in the way they need to be.
Why is Leadership Involvement Important to Information Security?
In fact, involvement from top management is critical to the design and effectiveness of any information security program—whether you’re going for ISO 27001 certification or not. Your program’s governance should be comprised of several different factors designed to protect your assets:
- Processes; and
Leadership is paramount, but before we go any further, it’s important to clearly define who we mean—though the definition can vary across organizations depending on size and structure, in general, “top management” indicates members of the senior executive team responsible for making strategic decisions within the organization.
Those decisions should ensure that your enterprise governance is aligned with the information security framework, but to be effective in that, top management must provide clear edicts regarding:
- What to expect from your information security program;
- How to evaluate the organization’s risk posture; and
- How to define information security objectives that are in alignment with the strategic direction and organizational goals.
But they can’t just decree these things—top management’s involvement also includes ascertaining that the intended outcomes of the information security program are achieved, and that means doing the following, at minimum:
- Aligning security strategy to meet business objectives
- Identifying and mitigating impacts on your resources and assets
- Managing resources effectively and efficiently
- Reporting useful metrics timely
- Sponsoring value-added information security initiatives
They won’t be doing everything, of course—information security is ultimately the responsibility of all employees within an organization. However, the most successful information security programs feature a management team that both sets the “tone at the top” and champions the importance of information security through well-designed policy and direction.
Ultimately, leadership should ingrain information security as part of your greater organizational culture.
ISO 27001 and The Importance of Top Management
If they do that, you’re well set up already to reap the benefits of a successful ISO 27001 certification, because such involvement from leadership is actually required and assessed, as outlined in Clauses 5 (Leadership) and 9.3 (Management Review).
Let’s dive a little deeper into the details of these clauses, which each deal with a different phase of the ISMS.
ISO 27001 Clause 5 (Leadership)
Clause 5 focuses on the design of your ISMS—involvement from top management is required. Leadership must establish and support:
- The information security policy; and
- An organizational structure where the responsibilities and roles relevant to information security are defined and communicated.
When deciding who will carry this out, consider the scope of your ISMS. Involvement in its construction from top management can vary by organization, but your ISMS scope can help inform who should be considered when determining who will be involved from a leadership and commitment standpoint.
In our experience, we’ve seen organizations begin by selecting a committee that includes both members of executive management and the information security team—together, they are/will be responsible for overseeing the design, operation, maintenance, and improvement of the ISMS.
To successfully satisfy the requirements of Clause 5, you’ll need to establish:
- An ISMS program with the oversight, support, and direction of your leadership team;
- An information security policy that includes information security objectives and is appropriate to the organization; and
- An organizational structure that incorporates information security professionals with upstream channels so that information security performance is effectively reported to top management.
ISO 27001 Clause 9.3 (Management Review)
But the involvement of leadership doesn’t stop with just the set-up laid out in Clause 5. Clause 9.3 focuses on the required procedures for your management to be continually involved in the evaluation of the ISMS to ensure its effectiveness.
This is a critical requirement for ISO 27001 certification—leadership must be involved in the requisite, periodic reevaluation of your ISMS and provide regular feedback on its performance. The standard requires continuous improvement, and part of that is accommodating changes in your environment, as well as addressing processes that are not performing as expected.
Knowing that management is required to be and remain involved in this process, your customers are more reassured that any problems with the ISMS are being identified promptly and corrective action is being successfully implemented.
To successfully satisfy the requirements of Claus 9.3, you’ll need to:
- Consistently evaluate the operation of the ISMS with input from top management
- Continually ensure the intent and objectives of the ISMS are being achieved and, through communication channels established with leadership, allow for improvements to be implemented where necessary.
Getting ISO 27001 Certified
Similar to getting the okay from your parents for the school field trip when you were younger, getting the green light from leadership is a must before you proceed with any compliance initiative. Even though your executives should already be setting an example for your entire organization regarding security anyway, ISO 27001 takes their involvement a step further.
The holistic approach of the standard requires further, more intricate commitment from top management—as you’ve just learned, there are clauses within that require action from leadership during both the design and operation phases of your ISMS. Now that you understand the details, you can get to work getting everyone who needs to be onboard before you proceed with certification.
As you do that, check out our other content that will aid in the preparation for your ISO 27001 certification, including details on the transition requirements now that a new version of the standard is out:
About RYAN MACKIE
Ryan Mackie is a Principal at Schellman, and has been with the firm since 2005. Ryan supports the regional Florida market and manages SOC, PCI-DSS, ISO, HIPAA, and Cloud Security Alliance (CSA) STAR Certification and Attestation service delivery. He also oversees the firm-wide methodology and execution for the ISO certification services, including ISO 27001, ISO 9001, ISO 20000-1, and ISO 22301 as well as CSA STAR certification services. He has over 25 years of experience. Ryan also is an active member of the CSA and co-chairs the Open Control Framework committee which is responsible for the CSA STAR Program methodology and execution.