Leadership, Commitment and its Role in the ISMS

00:00

moving on to module three

00:02

during this module will be going through close five

00:05

leadership

00:10

Listen, 3.1

00:12

leadership and its commitment and its role in the ice mess

00:19

Almost nothing is large scale as an ice mess is possible without the support and commitment, as well as the financial backing off top management.

00:28

That's probably why I sold 27,001 dedicates the whole claws just to leadership.

00:35

We're now starting with Clause five

00:38

in less than 3.1 is specific to close 5.1 leadership and commitment.

00:47

So why is top management commitment important?

00:50

I'm pretty sure we all know this one.

00:52

It's a pretty standard y. Across most information security initiatives,

00:57

programs and governance are always more successful when the tone is set at the top and the culture is fed through the entire organization

01:03

a bit of a lead by example.

01:07

There are many reasons, and the most pertinent ones are highlighted in the standard itself.

01:12

Firstly, top management sets the tone of the top and is a key role player in bringing the whole organization on board.

01:21

Top management is also key to ensure that the objectives of the ice mess aligned to the overall business, strategic objectives and direction.

01:30

But what if top management doesn't see the benefit?

01:34

How does one convince them to buy into the ice mess and throw their full weight of support behind it?

01:40

While there might not be a clear cut answer to this one, there is one tool that can certainly help to show top management all the ins and outs pertaining to your eyes on this journey.

01:49

Specifically the benefits and any return on investment that will be realized.

01:53

I'm talking about a business case, and we'll get to that in the next couple of slides.

02:02

So how does top management commitment? How is it demonstrated? What sort of proof

02:08

can one have to show top management is behind your ice, Miss

02:15

I said 27,001 provides eight specific points on how top management

02:21

should be demonstrated within an organization

02:23

during the orderto

02:25

during sorry during your order, the orderto will most likely interview a number of top management representatives to gauge their understanding off the ice mess. It's progress of implementation within the organization,

02:38

and what the top risks are that the system is is managing.

02:42

These are only some of the questions I could ask,

02:44

and each order to would have their own way of asking questions and assessing the level of top management commitment.

02:51

Unfortunately, there are many organizations that treat activities such as implementing an icy mess or obtaining an eye. So 27,001 certification

03:00

as a check box exercise.

03:02

This approach often appears as quite see through during an audit.

03:07

The culture mindset and commitment must be visible visibly demonstrate able

03:13

even though this section is pertinent to top management, the same applies for all personnel within your organization.

03:22

Top management needs to help ensure alignment between your information security objectives

03:27

and the organization. Strategic objectives.

03:30

Top management also is key to ensuring integration of the ice messed requirements into business processes,

03:38

ensuring that the required re sources are made available. Whether this is financial technology, resource, whatever it may be,

03:47

top management is also a key role player when it comes to communicating the importance of information security

03:53

management and demonstrating conformance to the requirements of the items.

04:03

Top management plays a key role in ensuring that the intended outcomes of the ice miss are achieved.

04:11

Top management needs to provide direction and support to the team's contributing to the effectiveness of the ice. Miss

04:17

Top management is a key role player to actively promote continual improvement.

04:25

Top management also would need to provide support to other management roles to demonstrate their leadership

04:30

relevant to the ice miss in their areas.

04:34

That's quite a lot that top management is involved in.

04:43

So what documentation can one used to further prove the

04:47

involvement off top management or their commitment to the ISS? Miss,

04:55

when you go through your certification ordered, there are a couple of documents that the order to would want to view

05:00

to ensure the top management is as committed as you say they are.

05:05

Some of these documents can include budgets for ice, miss activities,

05:11

meeting minutes and attendance registers for ice melts, related discussions, workshops,

05:16

approval of various supporting documents and policies,

05:21

evidence of participation and risk management and assessment workshops,

05:27

official communication to the organization from top management pertaining to the items.

05:34

While this documentation is not specifically listed as mandatory, it is beneficial to the order process,

05:42

especially if you're in tangible evidence of top management being involved.

05:47

The mandatory information that is required

05:50

is the information security policy and the Ice Miss manual

05:55

in some cases thes air one document. But I prefer to keep these separate.

06:00

These will be covered in the following section in a bit more detail.

06:03

In those documents, there is a mandatory section pertaining to top management,

06:08

specifically their commitment

06:12

that pertains directly to a statement from top management, which formally depicts in writing

06:17

the management commitment to the achievement of the ice miss objectives

06:21

as well as to continually improve on the ice mess

06:26

in conjunction with the overall security posture of the organization.

06:36

Earlier, we mentioned a business case and how this can be beneficial to bringing top management on board with your eyes miss

06:44

and gaining their commitment.

06:47

Fantastic resource that one can use

06:51

is

06:53

a business case.

06:55

There is also an online resource

06:58

known as the I saw 27,001 Forum,

07:02

which is dedicated dishing information Resource is relating to ISO 27,001.

07:08

They have an example of a business case template in there. I so 27,001 Talk it.

07:15

Some of the items that you can include in your business case have been included. Yeah,

07:20

make sure your business case outlines the benefits of the ice mess,

07:25

which can include information security, risk reduction,

07:28

streamlining and securing off processes to leverage cost saving,

07:31

as well as providing trust to clients and stakeholders, which increases your brand value.

07:38

I like the cost of the isthmus.

07:41

Top management will want to know all the costs involved,

07:44

whether it's costs of bringing auditors involved.

07:46

Internal costs of resource time.

07:49

Whether or not additional tools, software or re sources are required

07:56

include a section on the return on investment.

08:00

A nice um s will yield some sort of benefit to your organization.

08:03

It is an important Thio quantify and frame this out for top management, so they understand that

08:09

any costs invested into this process will have some sort of yield long term

08:20

to summarize.

08:22

In this video we covered white top management commitment is important for the success of the Smiths and certification.

08:28

We also looked at ways in which top management can demonstrate their commitment.

08:35

We covered the documents that are required by the standard

08:39

and that this can prove top management commitment to an auditor.

08:43

We also briefly covered how a business case can help solve your ice means to top management