What does ISO 27001 Clause 5.1 involve?
This clause identifies specific aspects of the management system where top management are expected to demonstrate both leadership and commitment. These include but are not limited to:
- Accountability for the effectiveness of the management system;
- Ensuring the policy and objectives are established and are compatible with the context and strategic direction of the organisation;
- Ensuring the integration of the management system are embedded into business processes;
- Promoting the use of the process approach and risk-based thinking
- Ensuring adequate resources are in place;
- Ensuring the management system achieves its intended results;
- Engaging, directing and supporting persons to contribute to the effectiveness of the management system
If leadership are not actively involved e.g. don't participate in management reviews or cannot demonstrate to the external auditor there is a leadership representative taking it seriously during an audit then the organisation will almost certainly fail. Auditors talk about the spirit of ISO 27001 coming from the top and if they don't see that they will probably look much more deeply and skeptically during the audit.
As has been stated many times before information security management is a business critical philosophy and must be compatible with an organisations business objectives and processes for it to work in practice. Without leadership support, or a requirement to do 25 things before someone actually does the job they want to do, the ISO 27001 journey will struggle to get off the ground.
Being able to demonstrate this leadership commitment is essential for clause 5.1, and that's where a more serious information security management system comes into play that both evidences leadership commitment to investing in an ISMS and having the evidence they have been involved e.g. in management reviews and broader ISMS decision making as well as the required annual external audits for ISO 27001. If a statutory financial accountant saw all the financial accounting just being done with spreadsheets instead of a professional accounting application they might question its integrity and spend longer than if the work was done with xero, sage or another recognised solution. It is the same for information security management. Using the right tools and having the right people involved breeds confidence.
Having those foundations in place makes this clause easy to demonstrate and compliance simply requires documented evidence as notes to reinforce that leadership and commitment is in place and addressing clause 5.1 points a-h in the ISO 27001 standard. All the parts of the joined up ISMS will then show that in practice.