ISO 27001 clause 5 is called “Leadership” — this clause requires the definition of top management responsibilities, setting the general roles and responsibilities for the ISMS, and defining the contents of the top-level Information Security Policy.
This clause is important because it requires companies to define clear business goals for security, and defines main responsibilities.
Clause 5 has three sub-clauses:
- Clause 5.1 — Leadership and commitment — it requires top management and line managers with relevant roles in the organization to demonstrate a genuine effort to engage people in the support of the ISMS.
- Clause 5.2 — Policy — it requires the top management to establish an information security policy, which is aligned with the organization’s purposes and provides a framework for setting information security objectives, including a commitment to fulfill applicable requirements and the continual improvement of the ISMS.
- Clause 5.3 — Organizational roles, responsibilities and authorities — it requires top management to ensure that roles, responsibilities, and authorities are delegated and communicated effectively. The responsibilities must be assigned to ensure that the ISMS is fully compliant with the standard and that the ISMS performance can be accurately reported to top management.
