Clause 5 - Leadership - ISO27001.zip

# Clause 5: Leadership > Top management shall demonstrate leadership and commitment with respect to the information management system... Section 5.1 immediately creates a standard for top management that scatter the reader around the standard in terms of obligations and objectives. It is a clear designation that the top management must **demonstrate** leadership and commitment to the ISMS via actions and resourcing. >💡 **Top management can delegate responsibilities to meet their actions, but they can never delegate their accountability.** This is the nature of their role as top management - and why top management must relate to the scope of the ISMS, not of the organisation. ### Policy (5.2) > Establish policy > Commit to it > Communicate it Top management need to establish an IS policy. It has to be relevant to the purpose of the organisation (5.2a) so that rules out SANs Templates and other 'YOUR COMPANY NAME HERE' policy packs. It also needs to either provide a framework for setting IS objectives, or the security objectives themselves (5.2b). This policy is where the commitment is explicitly made to satisfy the requirements related to Information Security, and for continual improvement of the ISMS (5.2cd). Don't sleep on this - this commitment needs to be stored somewhere! It can't be held as an organisational understanding. The policy needs to be documented, communicated within the organisation and made available to interested parties as appropriate (5.2efg). There's a lot of room for creativity here on what this looks like, as long as policy is: - Communicated - Understood - Applied within the organisation ### Organisational roles, Responsibilities and authorities (5.3) >Top management assign roles/responsibilities > Ensure conformity > Create reliable reporting on performance to Top Management. The scope refers to the top management of the relevant SCOPE, not the org, and does allow for people to delegate areas of responsibility (5.3). This is not required to be documented in the organisation, but is of course subject to audit (and in practice tends to be documented as a matter of course, not compliance). The assignment of roles and responsibilities relevant to Information Security is the ultimate responsibility of top management, and these need to be communicated to the organisation. Specifically, top management assigns the responsibility and authority for ensuring the ISMS conforms to requirements of the standard, and on reporting the performance of the ISMS back to top management (5.3ab). > 💡 **When delegating we can use job roles, names, etc, but it needs to be reliable.** These roles and responsibilities may change semi-frequently in your organisation, but they still need to be documented and made clear. For this reason, larger organisations may wish to assign responsibilities to roles/hats and then point to other live documentation that tells you who is currently in possession of that responsibility.