ISO 27001 Information Security Management Standard - Clause 5.1

Posted by Craig Thornton

Part 14: Clause 5.1 Leadership and Commitment

Leading from the front and being super committed to your information security management system (ISMS) is crucial for its success.

In my experience the most important/common? reason why (ISMS) fail is the lack of leadership and commitment.

If your staff sees you (as a leader) not committed to the ISMS, the system starts to erode. Your staff will start to use work-arounds to circumvent the system. This puts your system at grave risk.

Information Security Concept. Inscription of Red Color Located over Text of White Color.-1.jpeg

New Zealand boards of directors have rated information security as the number one biggest threat to business: Click here. 

It therefore falls to Management to show strong leadership and commitment to systems that manage information security.

Once leadership and commitment to the ISMS has been established, actually displaying leadership and commitment qualities to the ISMS is easy.

Here at Mango, we keep our staff constantly up-to-date on our information security. IT-related information is of course vitally important to us, but we also make sure that we address other security topics such as:

  • building security
  • clean desks
  • clean whiteboards
  • managing office keys
  • sharing security with contractors
  • discussing security with customers

So what is the best leadership style?

At Mango we use the following leadership styles for our ISMS:

  • Open and Transparent – Clearly explain the ISMS to all employees. Don’t hide processes. Be transparent
  • Encouraging – Invite employees to participate in the creation, establishment, implementation and monitoring of the ISMS.
  • Inclusive – Let everyone have their say.
  • Listen – Hear employees’ different points of view.
  • Learn – Be willing to allow all staff to learn from mistakes while considering the risk.

To start the process we sat down with all our team members to explain:

  1. What the ISMS looking like in Mango and how it is related to the ISO 9001 management system.
  2. How will the staff fit within the ISMS.
  3. What does Mango want to achieve from being ISO 27001 certified.
  4. We discussed the context of the organisation process. This included the:
    a. Interested parties
    b. Vision and Mission – including Brand Compasses
    c. SWOT analysis
    d. Key business strategies
  5. We made sure that everyone had a clear understanding of Mango’s strong focus and commitment to information security.

Takeaway

The steps to meeting clauses 5.1 of ISO 9001:2015 are:

  1. Discuss information security with the board of directors (or the senior management) and determine the leadership approach that will be best suited to gain commitment and support from your staff on the ISMS.
  2. Hold management accountable to communicate the ISMS to the organisation.
  3. Make sure all employees are trained and understand what an ISMS is and how they fit into it.
  4. Ensure all employees are involved in effectively implementing the ISMS.

 

Integrated_Management_System_manuel.jpg

 

View previous blogs in this series "ISO 27001 Information Security Management Standard":

ISO 27001 Information Security Management Standard: Principle 1 - Analysing the Protection of Your Information and then Applying Controls

ISO 27001 Information Security Management Standard: Principle 2 - Awareness of the Need for Information Security 

ISO 27001 Information Security Management Standard: Principle 3 - Assignment of Responsibility for Information Security

ISO 27001 Information Security Management Standard: Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders

ISO 27001 Information Security Management Standard: Principle 5 - Enhancing Societal Values

ISO 27001 Information Security Management Standard: Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk

ISO 27001 Information Security Management Standard: Principle 7 - Security incorporated as an essential element of information networks and systems

ISO 27001 Information Security Management Standard: Principle 8 - Active prevention and detection of information security incidents

ISO 27001 Information Security Management Standard: Principle 9 - Ensuring a comprehensive approach to information security management 

 ISO 27001 Information Security Management Standard: Principle 10 - Continual reassessment of information security and making of modifications as appropriate

ISO 27001 Information Security Management Standard: Clauses 0, 0.1, 0.2, 1, 2 and 3 of ISO 27001:2013

ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4 of ISO 27001:2013

Tags: Cybersecurity, ISO 27001, information security, ISO 27001 Certification