How Do You Gain Top Management Commitment?
TRENDING
PUBLISHED on
20
July
2022
SUMMARY
In previous blogs, we have tackled a number of fundamental ISO 27001 components. In this blog, we’ll take a look at management commitment, one of the most significant.
Commitment from your leadership team is absolutely crucial to managing information security within your organisation. In just the same way as pretty much any initiative, if your organisation’s leadership doesn’t believe in information security and doesn’t demonstrate that it believes in it, then any initiatives and improvements are highly likely to fail.
The attitude of your leaders has a big impact upon the success or failure of your information security efforts, as their behaviour directly affects the culture of your organisation. Those organisations with members of the leadership team that visibly demonstrate a lack of support for the information security management system will find it very difficult to convince others within the organisation to behave differently. This can lead to a negative security culture within the organisation.
So, we know that gaining management commitment is vital, but exactly how do we demonstrate this?
There are several different ways in which your leadership team can demonstrate support and commitment to the cause. The first is with direct involvement in information security governance. Governance is primarily about effective communication. This starts from the leadership team down through development, approval and implementation of effective policy and continues from the rest of the business upwards, through effective reporting. Your leadership team should be directly involved in the decision-making process regarding appropriate policy to be implemented, and approve those policies once drafted. Similarly, leadership should demonstrate that it is taking any reporting seriously and should be involved in decisions made in response to such reports.
There are other areas which leadership should get involved with including:
- Communicating directly with the business regarding the importance of information security, e.g., through the use of newsletters, chat sessions, video broadcasts etc
- Signing off residual risk and agreeing on the risk appetite
- Supporting other management roles throughout the organisation to ensure that policy and processes are embedded
- Chairing risk and audit committee meetings and information security forum sessions
- Ensuring that appropriate and adequate resources are provided for the implementation, operation and continual improvement of your information security efforts.
Of course, there is a critical driver for the leadership team to get involved in order to ensure that your information security efforts are performing as expected – that driver is accountability. Depending upon their position within the organisation, members of the leadership team could be held personally liable if your information security efforts fail to such a degree that legislative or regulatory requirements are not met.
How URM can help?
Consultancy
Planning for ISO 42001, the EU AI Act, or broader AI risk frameworks?
A short, free, non‑commitment call can help you clarify scope, understand regulatory expectations, and align your approach across standards such as ISO 42001 and NIST AI RMF. Early guidance often saves time and avoids fragmented compliance efforts.
Read more
Consultancy
Developing or reviewing your AI management framework?
Whether you are at an early planning stage or preparing for audit and assurance activities, we offer a free introductory call to help you assess risks, responsibilities, and the most proportionate route forward.
Read more
Consultancy
Unsure how to approach SOC 2 or where to focus first?
You do not need a fully defined programme to start the conversation. We offer a free, no‑obligation call to help you understand SOC 2 requirements, assess your current position, and identify practical next steps.
Read more
URM holds free seminars and webinars for end-user organisations focusing on information security.
Find out more
related BLog posts
Information Security
Published on
3/7/2025
ISO 27001:2022 - A.5 Organisational Controls (Incident Management)URM’s blog breaks down the six incident management-related controls in Annex A of ISO 27001, providing key guidance on how to implement each control.
Read more
Information Security
Published on
16/5/2025
ISO 27001:2022 - A.5 Organisational Controls (Information Security Management)URM explains the 8 information security management controls included within the ‘Organisational controls’ theme and how to prepare for an audit of each control
Read more
Information Security
Published on
20/3/2026
ISO 27001 – Clause 6.3: The Importance of Planned ISMS Change ManagementURM’s blog explains the purpose & requirements of ISO 27001 Clause 6.3, types of ISMS change it covers, and key considerations when putting it into practice.
Read more
Our partnership with URM has been outstanding. From supporting us with our own Cyber Essentials certification to assisting our customers with Cyber Essentials, ISO 27001, and virtual CISO services, URM consistently delivers exceptional service. Their expertise, open communication, and ability to allocate the right expert resources for specific requirements makes every project seamless. We highly value their support and look forward to continuing our collaboration.
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.