ISO 27001 Clause 5 Clause 5.1

ISO 27001 clause 5.1 Leadership and commitment

The basics

ISO 27001 sub-clause 5.1 is called “Leadership and commitment” — it requires top management and line managers with relevant roles in the organization to demonstrate a genuine effort to engage people in the support of the ISMS.

Documentation

ISO 27001 clause 5.1 Leadership and commitment does not require writing any documents because this clause is mostly about how the top management shows commitment through various activities.

Implementation

To comply with clause 5.1 Leadership and commitment, the senior management of a company can show commitment to the ISMS by doing the following:

  • information security policy and objectives align with each other, and with the strategic policies and overall direction of the business;
  • integration of information security activities with other business systems;
  • provision for resources so the ISMS can be operated efficiently;
  • understanding of the importance of information security management and compliance with ISMS requirements;
  • achievement of ISMS objectives;
  • explanation of information security responsibilities to people within the ISMS, and their correct support, training, and guidance to complete their tasks effectively;
  • support of the ISMS during its full life cycle, considering a PCDA approach and continual improvement.

Audit evidence

During the audit, an auditor might ask for the following evidence regarding clause 5.1 Leadership and commitment:

  • If the Information Security Policy is published and communicated to relevant people.
  • If the top-level information security objectives are set, and if these objectives are related to the strategic direction of the company.
  • If the top management strives to achieve information security objectives.
  • If the resources are available for the effective ISMS, such as dedicating people, allocating time for information security activities, and providing financial resources.
  • If the management communicates the importance of information security throughout the company.
  • If the top management applies ISMS in day-to-day activities to set a good example for all employees.
  • If the security processes are integrated within company processes.
  • If the management supports and promotes continual improvement of the ISMS.

These are the things the auditor will be looking for, if they are not found this is considered a nonconformity.