Roles and responsibilities of top management in ISO 27001 and ISO 22301
Did you know that, in most cases, failure to implement ISO 27001 or ISO 22301 was directly related to the fact that top management did not want to assume their responsibilities for information security / business continuity in their companies?
OK, you probably knew that. But, what are these responsibilities, and how do you get the management to start doing what they should?
Why is it that executives don’t care?
As I argued in my article Management’s view of information security, the primary concern of the top management is to ensure the long-term success of their company, increase profitability, control new initiatives, decrease the risks, etc.
Therefore, to get executives’ attention, you have to focus on business benefits – once they realize how information security or business continuity can contribute to, e.g., more revenues or decreased costs, to better efficiency or decreased penalties, then you will get their attention. Learn here how to achieve that: Four key benefits of ISO 27001 implementation and ISO 22301 benefits: How to get your management’s approval for a business continuity project.
Once they accept the concept of business benefits, you have to align your Information Security Management System (ISMS) / Business Continuity Management System (BCMS) with your company’s strategic objectives – that is, you have to find how your information security or business continuity can support your business strategy. For example, if you were a hosting company, one of your strategic objectives might be higher availability of your servers than what the competitors offer – ISMS and/or BCMS are very relevant for such an objective because they will directly decrease the number of incidents and therefore increase the level of availability.
So, what do executives need to do?
Once your top management understands why ISO 27001 or ISO 22301 are important, and they find out how these standards can directly support the company strategy, you can ask them to do something concrete about it.
According to ISO 27001/ISO 22301, the responsibilities of the top management are as follows:
- Publish the top-level policy – the top management needs to publish the Information security policy / Business continuity policy, in which they will define the main intention about information security / business continuity. See also Information security policy – how detailed should it be? and The purpose of Business continuity policy according to ISO 22301.
- Determine the objectives – through the objectives, the top management defines in which direction ISMS/BCMS need to be steered, and the objectives also provide a clear measure of whether the ISMS/BCMS is successful. Find out more here: ISO 27001 control objectives – Why are they important? and Setting the business continuity objectives in ISO 22301.
- Determine the main responsibilities – top management needs to define who is in charge of various elements related to the implementation and operation of the ISMS and BCMS – in most cases, they will appoint the Chief Information Security Officer or Business continuity coordinator, but the top management also needs to assign other responsibilities as well; the top management needs to support all those managers, and ultimately make sure they have done their jobs. See also Chief Information Security Officer (CISO) – where does he belong in an org chart?
- Communicate the importance – since executives are the ones who have the most influence in an organization, if they do not explain to all employees why ISMS/BCMS is important, then no one will believe they need to do something about it, especially if top managers do not “walk the talk,” i.e. comply with the security or business continuity rules themselves.
- Provide all the necessary resources – without money and without enough time of employees, the ISO 27001 or ISO 22301 project will fail – this is where the support from the top management must become very real and tangible. From my experience, this is exactly the point where the management usually fails – they usually redirect the resources into other projects.
- Perform management review – this is where the top management needs to review everything that has happened within their ISMS/BCMS, with one of the primary tasks being to conclude whether the objectives have been achieved. See also Why is management review important for ISO 27001 and ISO 22301?
So, your top management is really crucial for the success of your ISO 27001/ISO 22301 project. But, don’t ask them to do anything before you convince them that ISO 27001 or ISO 22301 is good for the business, because otherwise, you will only waste your time. And starting the project without real support from your executives is an even bigger waste of time.
Learn more about working with management with this free webinar ISO 27001 benefits: How to obtain management support.