I have a question regarding the implementation of ISO-27001. To what extent should the ISMS consider the actions and decisions of the sole owner of an organization? This person supports the implementation of the ISMS and complies with all arranged security practices. However, he/she could theoretically decide to bypass any security controls or simply stop financing the company at any time and no ISMS or business continuity plan could stop that from happening, given that employees don't have the authority to enforce rules or impose disciplinary action. Hence my question, should any of these rules or unlikely scenarios be contemplated at all?
According to ISO 27001, the ultimate actions and decisions to be considered for the ISMS are those from the top management, not those from the owner of the company - of course, if the owner of the company is also its CEO then this person will have full power to make decisions.
In practice, the top management will have to act and decide on how to support the ISMS with resources and ensure security policies and procedures are followed, if not, the company might lose its certificate.
In case the top management wants to change some security objectives/controls/priorities/resources, etc. this must be in writing, taking into account risks and requirements of interested parties (e.g., the company’s owner, customers, suppliers, government, etc.) - in other words, such decisions must be made taking into account the security needs.