Clause 5.1 of ISO 27001 Information Security Management Standard

Leadership and Commitment - Clause 5.1

Leading from the front and being super committed to your information security management system (ISMS) is crucial for its success.

In my experience the most important and common reason why (ISMS) fail is the lack of leadership and commitment.

If your staff sees you (as a leader) not committed to the ISMS, the system starts to erode. Your staff will start to use work-arounds to circumvent the system. This puts your system at grave risk.

information-security-management

New Zealand boards of directors have rated information security as the number one biggest threat to business: Click here.

It therefore falls to Management to show strong leadership and commitment to systems that manage information security.

Once leadership and commitment to the ISMS has been established, actually displaying leadership and commitment qualities to the ISMS is easy.

Here at Mango, we keep our staff constantly up-to-date on our information security. IT-related information is of course vitally important to us, but we also make sure that we address other security topics such as:

building security
clean desks
clean whiteboards
managing office keys
sharing security with contractors
discussing security with customers

What is the best leadership style?

At Mango we use the following leadership styles for our ISMS:

Open and Transparent – Clearly explain the ISMS to all employees. Don’t hide processes. Be transparent
Encouraging – Invite employees to participate in the creation, establishment, implementation and monitoring of the ISMS.
Inclusive – Let everyone have their say.
Listen – Hear employees’ different points of view.
Learn – Be willing to allow all staff to learn from mistakes while considering the risk.

To start the process we sat down with all our team members to explain:

What the ISMS looking like in Mango and how it is related to the ISO 9001 management system.
How will the staff fit within the ISMS.
What does Mango want to achieve from being ISO 27001 certified.
We discussed the context of the organisation process. This included the:
a. Interested parties
b. Vision and Mission – including Brand Compasses
c. SWOT analysis
d. Key business strategies
We made sure that everyone had a clear understanding of Mango’s strong focus and commitment to information security.

Takeaway

The steps to meeting clauses 5.1 of ISO 9001:2015 are:

Discuss information security with the board of directors (or the senior management) and determine the leadership approach that will be best suited to gain commitment and support from your staff on the ISMS.
Hold management accountable to communicate the ISMS to the organisation.
Make sure all employees are trained and understand what an ISMS is and how they fit into it.
Ensure all employees are involved in effectively implementing the ISMS.