Table of contents

 ISO 27001 Leadership and Commitment

 What is ISO 27001 Clause 5.1?
 ISO 27001 Clause 5.1 Implementation Guide
 ISO 27001 Templates
 How to pass an audit of ISO 27001:2022 Clause 5.1
 Top 3 Mistakes People Make
 ISO 27001 Clause 5.1 Summary
 ISO 27001 Clause 5.1 FAQ
ISO 27001 Clause 5.1 Purpose
The purpose of ISO 27001 Clause 5.1 Leadership and Commitment is
to make sure that information security is driven from the top.
Without this level of commitment and drive the information security
management is doomed to fail.
Giving this to IT to solve or devolving it to the lower ranks will see
people not doing what they should do due to conflicting priorities.
ISO 27001 Clause 5.1 Definition
The ISO 27001 standard defines ISO 27001 clause 5.1 as:
Top management shall demonstrate leadership and commitment with
respect to the information security management system by:

a) ensuring the information security policy and the information security

objectives are established and are compatible with the strategic
direction of the organisation;
b) ensuring the integration of the information security management
system requirements into the organisation’s processes;
c) ensuring that the resources needed for the information security
management system are available;
d) communicating the importance of effective information security
management and of conforming to the information security
management system requirements;
e) ensuring that the information security management system
achieves its intended outcome(s);
f) directing and supporting persons to contribute to the effectiveness of
the information security
g) promoting continual improvement
h) supporting other relevant management roles to demonstrate their
leadership as it applies to their
ISO27001:2022 Clause 5.1 Leadership and Commitment

ISO 27001 Clause 5.1 Requirement

There are 8 specific requirements when it comes to leadership and
commitment. This is a testament to how importantly the standard
takes it. Read the implementation guide below to see exactly what
they are how to quickly and simply meet the requirements.

ISO 27001 Clause 5.1 a: Ensuring the information

security policy and the information security objectives are
established and are compatible with the strategic
direction of the organisation
You will write your information security policy and your
associated information security policies based on the needs of the
business and the risks the business faces. These are defined as part
of the process of building your information security management
system (ISMS).

Ensure that our information security objectives are Specific,

Measurable, Achievable, Realistic and Timely (SMART) and for each
objective we clearly set out what the measures are.
The information security objectives are recorded and communicated in
the Information Security Policy and they are included as part of the
structured agenda at the Management Review Team meeting for
reporting and oversight.
Our company mission and values and who we are are recorded in
the Organisation overview.
ISO 27001 Clause 5.1 b: Ensuring the integration of the
information security management system requirements
into the organisation’s processes
The concept of ‘if it is not written down it does not exist’ plays
through ISO 27001 certification. The organisation processes are going
to need writing down and formatting in documents with appropriate
documentation mark-up and version control.
Satisfy this by having information security policies in place and then
write and align your actual processes to those policies. Don’t forget to
document the processes of the in scope products and services.
Policies are statements of what we do not how we do it. How we do it
is covered in these process documents. The process steps recorded
are very specific so that anyone, even someone who has never
worked in this area before, can follow them and achieve the same and
consistent result.

ISO 27001 Clause 5.1 c: Ensuring that the resources

needed for the information security management system
are available
To lead the work you really should consider bringing in some
specialist help. The knowledge and experience of someone how has
done this many times before will pay dividends and stop you making
costly mistakes and wasting a lot of time.

Then it is a case of understanding the ISO 27001 standard and

the ISO 27001 Annex A controls (referred to as ISO 27002) and
allocating members of your team to those controls. You do this by
recording them in an ISMS Annex A Controls – Accountability
Matrix which assigns responsibility for each ISO 27001 Annex A
Control.
It is ok that the work is carried out by a third party company but you
must still assign internal responsibility for managing it and ensuring it
gets done.

Working out who your information security leadership team is will be

straightforward and you will implement a Management Review
Team that will be responsible for the oversight of the information
security management system (ISMS). The best way to work out who
attends this is to have a senior representative from each department
in the business plus ( if not already covered ) and member of the
senior leadership team.

ISO 27001 Clause 5.1 D: Communicating The

Importance Of Effective Information Security
Management And Of Conforming To The Information
Security Management System Requirements
Communication is expected at all levels, across all medium and has
some very specific requirements. It can easily be implemented and
evidenced.
It can take many forms. For example it will be part of any legal
contracts that you have with suppliers and with clients as well as
employees.
You will implement an Information Security Awareness and
Training Policy that sets out the training and awareness for the
company as well as deploying training tools that allow you to schedule
your communications and include acknowledgement of understanding
such as tests or quizzes that you can use to evidence your
compliance.
Planning your training based on business need and business risk but
you will do Basic Information Security Awareness Training and Basic
Data Protection Training at least annually. You may tailor your training
and communication to specific groups and sub groups based on their
specific needs.

Implement a Communication Plan that sets out the communications

for the year across media and approaches. It will be a record and a
plan of what was communicated, who communicated it, to whom they
communicated it, what they communicated and how they
communicated it and it will include the evidence the communication
took place.

There may be other processes that involve communication that you

will evidence. Here we think about off boarding an employee when
they leave or due to termination where we want to communicate again
their requirements under contract for information security and the
expectations that we place on them.

ISO 27001 Clause 5.1 E: Ensuring That The

Information Security Management System Achieves Its
Intended Outcomes
The Information Security Management System (ISMS) sets out the
objectives. These are managed and reviewed at the Management
Review Team meeting which is documented in the document:

Information Security Roles Assigned and Responsibilities.

The agenda template covers the requirements of the standard that
includes the regular reporting and monitoring of the information
security measures we have put in place for our information security
objectives. Getting the measures right, and then recording and
reporting on them is a primary approach to ensuring intended
outcomes.
In addition we have an on going program of internal audit is conducted
here our Audit Plan sets out the audit plan for the year. Internal audit
is part of continual improvement, a founding principle of ISO 27001
you will implement the Continual Improvement Policy and associated
processes. This process utilise the Incident and Corrective Action
Log to capture and manage the corrective actions and improvements.

ISO 27001 Clause 5.1 F: Directing And Supporting

Persons To Contribute To The Effectiveness Of The
Information Security Management System
We want people to contribute effectively and the way we do that is via
communicating and supporting them. If we don’t tell people what is
expected we can not expect them to do it. You will have employment
contracts and third party contracts that include coverage of information
security requirements.
You will have a Competency Matrix that captures the core
competencies and training requirements of staff in relation to
information security.
Your Information Security Awareness and Training Policy sets out the
training and awareness and your training tool and package is used to
manage the process and the compliance.
The Communication Plan sets out the communications for the year
across media and approaches as discussed above.
ISO 27001 Clause 5.1 G: Promoting Continual
Improvement
As discussed continual improvement is baked in and a core principle.
This is not a one and done. The external audits will happen every year
as will your ongoing internal audits. Incidents will happen that need
managing. Deviations from policy and procedure will happen. New
ways of working and new tools will be identified.

Your Continual Improvement Policy sets out the continual

improvement policy and the Incident and Corrective Action
Log captures and manages the corrective actions and improvements.

The Communication Plan sets out the communications for the year
across media and approaches and your management review team
oversees the entire continual improvement process.

ISO 27001 Clause 5.1 H: Supporting Other Relevant

Management Roles To Demonstrate Their Leadership As It
Applies To Their Areas Of Responsibility

For this sub clause the Information Security Roles Assigned and
Responsibilities sets out the roles and responsibilities with allocated
resource.

A Management Review Team should be put in place with

representatives from across the business. The Competency
Matrix captures the core competencies and training requirements of
staff in relation to information security.
ISO 27001 Templates
ISO 27001 templates have the advantage of being a massive boost
that can save time and money so before we get into the
implementation guide we consider these pre written templates that will
sky rocket your implementation.

How to pass an audit of ISO 27001:2022 Clause

5.1
To pass an audit of ISO 27001 Clause 5.1 you are going to make sure
that you have followed the steps above in the implementation guide.
You are then going to conduct an internal audit, following the How to
Conduct an ISO 27001 Internal Audit Guide.
What will the auditor check?
The audit is going to check a number of areas for compliance with
Clause 5.1. Lets go through them
1. An interview with senior leadership
Part of the audit process will be a series of interviews and at least one
will be with senior leadership. Here they will ask questions about
the information security management system. They will ask about the
objectives for information security, when they last did a management
review, where the policies are, if there are incidents in the last 12
months. This is a general interview but will catch you out if your senior
leadership is not actually involved.
2. Your documentation
It is simple but they will check the required documents and processes
of the information security management system (ISMS) that relate to
leadership and commitment. This usually means the communication
plan and communications sent, that management reviews have
happened and you can evidence them. That all document and
processes have been signed off and communicated. Work through the
implementation guide above and be sure to complete it.
3. That you have resources
Part of leading and showing commitment is to have adequate
resources in place to run the ISMS. Here they are looking at roles and
responsibilities, the competency matrix, the training plan. Are people
allocated to roles and do they have the skills to perform the tasks.

Top 3 Mistakes People Make

In my experience, the top 3 mistakes people make for ISO 27001
clause 5.1 are
1. Leadership are not engaged
It is easy to document roles and responsibilities and say leadership is
engaged and committed but it is another thing for it to actually happen.
If they pay lip service, come the audit and the interviews you will get
caught out. Putting aside not having commitment means it is highly
likely your ISMS isn’t actually effective and if you are responsible for it
you are going to spend most of your career there frustrated.
2. You cannot evidence management reviews
The guides and toolkit give you the resources to address this but
many organisations just don’t do reviews. Or when they do the wrong
people attend making it ineffective. Be able to evidence management
reviews that follow the structured agenda of the standard.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that
version numbers match where used, having a review evidenced in the
last 12 months, having documents that have no comments in are all
good practices.

ISO 27001 Clause 5.1 Summary

Getting this right is important. Without the leadership and the
commitment the information security management system will fail.
Think about why you are doing it and check that the management
agrees. If they do not, or they see it has a burden then you are
doomed to fail from the offset. It can be just a tick box exercise, to
succeed, it really really should not be.

ISO 27001 Clause 5.1 FAQ

What are the ISO 27001:2022 Changes to Clause 5.1?
There are no changes to ISO 27001 Clause 5.1 in the 2022 update.

What is ISO 27001 Clause 5.1?

ISO 27001 is an ISO 27001 Control that requires and organisation’s
leadership team to be accountable and demonstrate commitment to
information security and the information security management system
(ISMS).

Who is responsible for ISO 27001 Clause 5.1?

Responsibility for ISO 27001 Clause 5.1 lies with the Information
Security Manager.
Who is accountable for ISO 27001 Clause 5.1?
Accountability for ISO 27001 Clause 5.1 lies with senior management
and leadership.

Who owns ISO 27001 Clause 5.1?

Ownership of ISO 27001 Clause 5.1 lies with the Information Security
Manager.

What are the benefits of ISO 27001 Clause 5.1?

Improved security: You will have an effective information security
management system that is led by senior leadership and their
commitment
Reduced risk: You will reduce the risk to your information security
management system by having the most senior leadership on board
Improved compliance: Standards and regulations require leadership
commitment to be in place
Reputation Protection: In the event of a breach having leadership
commitment will reduce the potential for fines and reduce the PR
impact of an event

Why is ISO 27001 Clause 5.1 important?

ISO 27001 Clause 5.1 is important because without it your information
security management system will fail and you won’t achieve your ISO
27001 certification. It is a simple as that.