Top management and information security
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Top management usually are focused on sales and goals achievements and though they can be worried about information security, I can imagine his face when I ask them to establish the ISMS and information security policy and objectives. I am not saying they don’t want to cooperate or support the implementation of ISO 27001 but for sure he will tell me “you are the expert in information security!! You have to establish policies and objectives!!”
How can I help him/them to define policies and objectives? In fact if I were the CEO I would not be so familiar with information security as I am so I would not be surprised to receive such an answer.
Answer:
As you mentioned, top management normally are not familiar with information security, so it is you that have to help them with your knowledge to define information policies and objectives (not the other way around). You can do that by asking them what they consider most relevant to the business, and based on their answer develop the information security policies and objectives in a way that will support these issues.
For example, if they are focused on sales, one security objective may be to decrease the downtime of the website through which the organization do its sales. Other issue that may be relevant to top management is customer satisfaction, and a security objective may be to protect customer data against unauthorized access.
Based on these objectives you can develop the information security policy, and other polices as well.
These articles will provide you further explanation about gathering top management information:
- Top management perspective of information security implementation https://advisera.com/27001academy/blog/2012/12/04/top-management-perspective-of-information-security-implementation/
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
- Aligning information security with the strategic direction of a company according to ISO 27001https://advisera.com/27001academy/blog/2017/02/20/strategic-direction-of-a-company-according-to-iso-27001/
Comment as guest or Sign in
Aug 27, 2018