Information Security Principle 4

Principle 4 - Incorporating management commitment and the interest of stakeholders

The fourth principle of information security is to incorporate management commitment and the interests of stakeholders.

1. Management Commitment

All Information Security Managers say that the number one key to having an effective information security is to have genuine management commitment. And they’re absolutely right.  Management commitment makes all the difference to the success or failure of information security.

But it’s not enough to just say that management is committed to the information security. 

Management commitment to information security must involve an active, on-going set of behaviors.   Management commitment is a willingness to regularly and honestly scrutinize the weak points of the information security.

2. Interests of stakeholders

There are many stakeholders - Staff, Managers, Directors, Shareholders, Customers, Suppliers and Regulators.  Each of these parties has an impact on your business, so it is wise to take in account each group’s needs and expectations regarding information security.

Failure to put both management commitment and the interests of your stakeholders at the forefront will mean that your ISMS is unworkable, putting your business at grave risk.  The good news is that making a priority of management commitment and the priorities of shareholders will give you a robust, strong and nimble ISMS. 

Learn More:

1. Information Security - Principle 1 - Analysing the Protection of Your Information and then Applying Controls
2. Information Security - Principle 2 - Awareness of the need for information security
3. Information Security - Principle 3 - Assignment of Responsibility for Information Security
4. Information Security - Principle 5 - Enhancing Societal Values
5. Information Security - Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk
6. Information Security - Principle 7 - Security incorporated as an essential element of information networks and systems
7. Information Security - Principle 8 - Active prevention and detection of information security incidents
8. Information Security - Principle 9 - Ensuring a comprehensive approach to information security management
9. Information Security - Principle 10 - Continual reassessment of information security and making of modifications as appropriate