Email Icon
info@urmconsulting.com
Phone Icon
0118 206 5410
Governance, Risk Management and Compliance
|
Information Security
|
ISO 27001
BLOGS

How Do You Gain Top Management Commitment?

|
|
PUBLISHED on
20 Jul
2022

Table of Contents

In previous blogs, we have tackled a number of fundamental ISO 27001 components.  In this blog, we’ll take a look at management commitment, one of the most significant.  

Commitment from your leadership team is absolutely crucial to managing information security within your organisation.  In just the same way as pretty much any initiative, if your organisation’s leadership doesn’t believe in information security and doesn’t demonstrate that it believes in it, then any initiatives and improvements are highly likely to fail.

The attitude of your leaders has a big impact upon the success or failure of your information security efforts, as their behaviour directly affects the culture of your organisation.  Those organisations with members of the leadership team that visibly demonstrate a lack of support for the information security management system will find it very difficult to convince others within the organisation to behave differently.  This can lead to a negative security culture within the organisation.

So, we know that gaining management commitment is vital, but exactly how do we demonstrate this?

There are several different ways in which your leadership team can demonstrate support and commitment to the cause.  The first is with direct involvement in information security governance.  Governance is primarily about effective communication.  This starts from the leadership team down through development, approval and implementation of effective policy and continues from the rest of the business upwards, through effective reporting.  Your leadership team should be directly involved in the decision-making process regarding appropriate policy to be implemented, and approve those policies once drafted.  Similarly, leadership should demonstrate that it is taking any reporting seriously and should be involved in decisions made in response to such reports.

There are other areas which leadership should get involved with including:

  • Communicating directly with the business regarding the importance of information security, e.g., through the use of newsletters, chat sessions, video broadcasts etc
  • Signing off residual risk and agreeing on the risk appetite
  • Supporting other management roles throughout the organisation to ensure that policy and processes are embedded
  • Chairing risk and audit committee meetings and information security forum sessions
  • Ensuring that appropriate and adequate resources are provided for the implementation, operation and continual improvement of your information security efforts.

Of course, there is a critical driver for the leadership team to get involved in order to ensure that your information security efforts are performing as expected – that driver is accountability.  Depending upon their position within the organisation, members of the leadership team could be held personally liable if your information security efforts fail to such a degree that legislative or regulatory requirements are not met.

Read more
Read more
find OUT more on:
ISMS
Information Security Management System

Do you need any help with ISO 27001 certificate?

URM can help you achieve ISO 27001 certification
Recent blogs
Planning Your ISO 27001 Audit Programme
Data Protection Considerations for Artificial Intelligence (AI)
The Finer Details of PCI DSS v4.0
How to Develop a Robust Business Continuity Plan
I’ve Got my Cyber Essentials - Now What?
How URM can help?
Consultancy
Book FREE Consultation

URM is pleased to provide a FREE consultation on Transitioning to ISO 27001:2022 for any UK-based organisation.

Read more
Consultancy
Do you need any help with ISO 27001 certificate?

URM can help you achieve ISO 27001 certification

Read more
Consultancy
ISO 27002:2022 Support

URM can provide a range of ISO 27002:2022 transition services including conducting a gap analysis, supporting you with risk assessment and treatment activities as well as delivering a 2-day transition training course.

Read more
URM regularly holds FREE seminars and webinars on implementing ISO 27001
Find out more
related BLog posts
Thumbnail of the Blog Illustration
Information Security
Published on
9/2/2024
The New Threat Intelligence Requirements in ISO 27001:2022

URM’s blog discusses the changes to the requirements around threat intelligence in ISO 27001:2022 and what certified organisations will need to do differently.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
27/7/2022
Difference Between Certified and Compliant ISO 27001 ISMS

There is some confusion about the difference between having an ISMS which is certified to ISO 27001 and one which is compliant or aligned to the Standard.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
19/7/2022
How do you Categorise Your Assets When Conducting an Information Security Risk Assessment?

‘How do we approach asset identification within our information security risk assessment?’. This blog examines which assets or asset types to include.

Read more
"
Leanr more about
URM Services
Thank you for a very informative and useful presentation on the updates to ISO27001 and ISO27002.
Jason R.
Webinar 'ISO 27001:2022 – What’s new?'
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.
Services
Training
Consultancy
Products
About URM
About URM
URM Data Sheets
Contact URM
URM White papers
Case Studies
URM Blog
Collaboration
Secure File Portal (SFP)
Partner with URM
Subscribe to Mailing List
© Copyright 2024 URM Consulting Services Ltd. All Rights Reserved.
|
Privacy Policy
|
Cookies
|
Terms of Business