CHAPTER 9: MANAGEMENT RESPONSIBILITY

Implementation of an ISMS is something that ISO27001 recognises will affect the whole organisation. The requirements around scoping and the information security policy are explicit that there needs to be a documented justification for any exclusion from the scope, and that the policy should apply across the organisation.

ISO27001 is also clear that the ISMS should be designed to meet the needs of the organisation, and should be implemented and managed in a way that meets – and continues to meet – those needs.

Management direction

ISO27001 contains a requirement that management should ‘[communicate] the importance of effective information security management and of conforming to the information security management system requirements’.¹ These requirements have grown stronger in successive versions of the ISMS Standard as it has become ever clearer that designing and establishing an ISMS is difficult without such management support and direction.

The strategic nature of an ISMS is explicitly recognised in Clause 4.4 of the Standard, which states the requirement that the organisation ‘shall establish, implement, maintain and continually improve an information security management system’. This strategic position is established (in Clause 4.1) as being founded on an understanding of the organisation and its context.

Management’s responsibility is so important that Clause 5 is devoted to setting out in detail the management requirements. These requirements are that management ‘shall demonstrate leadership and commitment with respect to the information security management system’, ‘shall establish an information security policy’, and ‘shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated’.

Management-related controls

There are a number of controls in Annex A that specify management involvement and are linked to Section 5 of ISO27001. These, numbered as they appear in Annex A, are as follows:

•  A.5.1.1: policies for information security

•  A.6.1.2: segregation of duties

•  A.9.2.5: review of user access rights

•  A.18.2.2: compliance with security policies and standards.

Requirement for management review

In addition to the control requirements, the Standard mandates, at Clause 9.3 (management review), that management, at planned intervals, must ‘review the organisation’s ISMS […] to ensure its continuing suitability, adequacy and effectiveness’.² This section defines clearly the required input to the review process; it includes the output from the organisation’s monitoring and review activity.

The output from the management review should be documented, and should also be implemented; it should lead to steady, ongoing and continuous improvement of the ISMS. An ISO27001-certificated ISMS will be subject to regular certification reviews during the currency of the certificate; these reviews will focus on how the organisation and its management have driven the continuous improvement process.

¹ ISO/IEC 27001:2013, 5.1.d.

² ISO/IEC 27001:2013.