The fourth principle of information security is to incorporate management commitment and the interests of stakeholders.
All Information Security Managers say that the number one key to having an effective information security is to have genuine management commitment. And they’re absolutely right. Management commitment makes all the difference to the success or failure of information security.
But it’s not enough to just say that management is committed to the information security.
Management commitment to information security must involve an active, on-going set of behaviors. Management commitment is a willingness to regularly and honestly scrutinize the weak points of the information security.
There are many stakeholders - Staff, Managers, Directors, Shareholders, Customers, Suppliers and Regulators. Each of these parties has an impact on your business, so it is wise to take in account each group’s needs and expectations regarding information security.
Failure to put both management commitment and the interests of your stakeholders at the forefront will mean that your ISMS is unworkable, putting your business at grave risk. The good news is that making a priority of management commitment and the priorities of shareholders will give you a robust, strong and nimble ISMS.