ISO 27001 Clause 5 - Leadership

Clause 5 places direct responsibility on top management for the information security management system. It is not a clause that can be delegated to the information security manager or the IT team. The standard expects top management to set direction, allocate resources, communicate the importance of information security and stay actively involved in the system.

Sub-clauses of ISO 27001 Clause 5

Clause 5.1 - Leadership and Commitment sets out the eight specific responsibilities that top management must demonstrate, including establishing the policy and objectives, integrating ISMS requirements into business processes and providing the necessary resources.

Clause 5.2 - Information Security Policy requires top management to establish a documented information security policy that sets the framework for the ISMS and is communicated within the organisation and to relevant interested parties.

Clause 5.3 - Organisational Roles, Responsibilities and Authorities requires top management to assign and communicate the roles and responsibilities for the ISMS, including the responsibility for reporting on its performance.