The Idea Behind

One of the very first statements of ISO 27001 standard is that the adoption of an ISMS (information security management system) is always a strategic decision. Standard’s requirements on the management involvement in information security are the same, but top management view may vary. Managers, who want to use the standard want to look at their organization’s information security systematically and comprehensively. On the other hand those, who has to use it (due to any external obligation) sometimes don’t consider themselves to belong to the group, that the standard calls “interested parties”. But they are. In this case they will have to bear the costs only, without enjoying all the advantages. Fate leads the willing and drags along the reluctant.

Management Involvement in Information Security

Management support and participation is required for the introduction project and for the operation of the ISMS as well. Right at the beginning of the ISMS implementation project management expectations has to be gathered and buy-in obtained. The organization has to name a project manager who has the right and possibility to escalate problems or decisions to the top management. Information security is not an add-on to the organizational processes. It has to be an integral part of it.

Managers are responsible for ensuring that information security policies are followed by everyone in the company. There may be controls that work differently for managers, but there always have to be a reason for that. If the rules are ignored just for the sake of convenience, “exceptions” will flourish at lower levels of the organization as well. Those who are operating the ISMS on a daily basis, have the task to wave the flag for the staff, but they have to be backed by the top management.

The operation of a management system requires top management involvement mainly by approving ISMS policy, monitoring effectiveness measurement results and making informed decisions based on them. Earlier versions of the ISO 27001 standard required the naming of an information security manager, but the current version just requires the allocation of the information security responsibilities. The bigger an organization is the more common to separate these responsibilities (typically between a CISO and a security manager). Due to the many IT related standard requirements, the IT manager of the organization is always involved in the implementation and in the operation as well.

management involvement in information security

Is an ISMS Expensive?

There are costs associated to the introduction and the operation of the management system. Their level depends on the business branch the organization is involved in (for example telco, utility and financial companies face higher risks). Excess costs can be avoided if standard requirements are properly interpreted.  The costs are typically below the ones, that some managers may be afraid of and far below of an incident. This is because there are absolutely no systems forced by the standard. There are typical solutions, but they are best practices, not requirements. Control requirements are rather objectives – they define the purpose of the control, not the implementation method.