A detailed comparison between ISO 9001 and 27001
Download our detailed ISO 9001 and 27001 comparison today
In a recent post, we noted that senior leadership must play an active role in the ISO 27001:2022 compliance journey. Annex A control 5.4 Management Responsibilities details specifically what management must do to comply with the ISO 27001:2022 standard.
The best way to think about management’s role in ISO 27001 is as the support system. Especially in larger companies, managers do not need to roll up their sleeves and get deeply involved in the ISMS implementation.
Here are five ways management can fulfill the requirements of control 5.4 in ISO 27001 Annex A.
Pushing through compliance procedures can be difficult for non-management employees, especially if the team does not understand or appreciate the importance of information security. Through town hall meetings, executive messages, and more, management should relay to the team why information security is important and why everyone should do their part to keep the organization’s data secure.
Creating security policies and procedures is not just an IT responsibility. Management needs to be aware of the organization’s cybersecurity posture and should ensure that all information security policies align with overall business objectives. Management comes to ISO 27001 with a 30,000-foot view of the organization and that is essential.
An executive leader may find it difficult to support unfamiliar concepts. That is why ISO 27001 seeks to weave management into roles for approval for policies, procedures, and plans. Management should approve information security policies, roles and responsibilities, and training plans. In addition, they should assist with monitoring personnel to make sure everyone is fulfilling his or her responsibilities.
ISO 27001, like anything pertaining to information security, is not a “one and done.” Management needs to show proof that they are continuously monitoring the ISMS and all plans and procedures to make sure everything is still working. Information security changes constantly and quickly, so a policy that is effective at the start may lose its effectiveness as time passes. Leadership should also be accessible to employees who need to report violations or who are lacking in the implementation of policies and procedures.
Continuous improvement is a key concept of continuous monitoring. ISO 27001 requires documentation showing that a company’s information security continues to improve over time. This means not only preventing cyberattacks but also addressing gaps that arise in the organization’s information security posture. IT team members may complete the majority of the activity, but management must ensure the work is happening and that everyone is documenting these improvements.
One of the key messages of ISO 27001 is that senior management must understand and support all information security efforts. Annex A Control 5.4 represents just one way the standard works to ensure management’s involvement.
What questions do you have about ISO 27001:2022? Is your organization ready to talk about an ISO 27001 audit? Schedule a meeting using this link to pick a time convenient to you: https://calendly.com/robert-mcvay/cybersecurity-initial-engagement