Leadership, Commitment and its Role in the ISMS

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:00
moving on to module three
00:02
during this module will be going through close five
00:05
leadership
00:10
Listen, 3.1
00:12
leadership and its commitment and its role in the ice mess
00:19
Almost nothing is large scale as an ice mess is possible without the support and commitment, as well as the financial backing off top management.
00:28
That's probably why I sold 27,001 dedicates the whole claws just to leadership.
00:35
We're now starting with Clause five
00:38
in less than 3.1 is specific to close 5.1 leadership and commitment.
00:47
So why is top management commitment important?
00:50
I'm pretty sure we all know this one.
00:52
It's a pretty standard y. Across most information security initiatives,
00:57
programs and governance are always more successful when the tone is set at the top and the culture is fed through the entire organization
01:03
a bit of a lead by example.
01:07
There are many reasons, and the most pertinent ones are highlighted in the standard itself.
01:12
Firstly, top management sets the tone of the top and is a key role player in bringing the whole organization on board.
01:21
Top management is also key to ensure that the objectives of the ice mess aligned to the overall business, strategic objectives and direction.
01:30
But what if top management doesn't see the benefit?
01:34
How does one convince them to buy into the ice mess and throw their full weight of support behind it?
01:40
While there might not be a clear cut answer to this one, there is one tool that can certainly help to show top management all the ins and outs pertaining to your eyes on this journey.
01:49
Specifically the benefits and any return on investment that will be realized.
01:53
I'm talking about a business case, and we'll get to that in the next couple of slides.
02:02
So how does top management commitment? How is it demonstrated? What sort of proof
02:08
can one have to show top management is behind your ice, Miss
02:15
I said 27,001 provides eight specific points on how top management
02:21
should be demonstrated within an organization
02:23
during the orderto
02:25
during sorry during your order, the orderto will most likely interview a number of top management representatives to gauge their understanding off the ice mess. It's progress of implementation within the organization,
02:38
and what the top risks are that the system is is managing.
02:42
These are only some of the questions I could ask,
02:44
and each order to would have their own way of asking questions and assessing the level of top management commitment.
02:51
Unfortunately, there are many organizations that treat activities such as implementing an icy mess or obtaining an eye. So 27,001 certification
03:00
as a check box exercise.
03:02
This approach often appears as quite see through during an audit.
03:07
The culture mindset and commitment must be visible visibly demonstrate able
03:13
even though this section is pertinent to top management, the same applies for all personnel within your organization.
03:22
Top management needs to help ensure alignment between your information security objectives
03:27
and the organization. Strategic objectives.
03:30
Top management also is key to ensuring integration of the ice messed requirements into business processes,
03:38
ensuring that the required re sources are made available. Whether this is financial technology, resource, whatever it may be,
03:47
top management is also a key role player when it comes to communicating the importance of information security
03:53
management and demonstrating conformance to the requirements of the items.
04:03
Top management plays a key role in ensuring that the intended outcomes of the ice miss are achieved.
04:11
Top management needs to provide direction and support to the team's contributing to the effectiveness of the ice. Miss
04:17
Top management is a key role player to actively promote continual improvement.
04:25
Top management also would need to provide support to other management roles to demonstrate their leadership
04:30
relevant to the ice miss in their areas.
04:34
That's quite a lot that top management is involved in.
04:43
So what documentation can one used to further prove the
04:47
involvement off top management or their commitment to the ISS? Miss,
04:55
when you go through your certification ordered, there are a couple of documents that the order to would want to view
05:00
to ensure the top management is as committed as you say they are.
05:05
Some of these documents can include budgets for ice, miss activities,
05:11
meeting minutes and attendance registers for ice melts, related discussions, workshops,
05:16
approval of various supporting documents and policies,
05:21
evidence of participation and risk management and assessment workshops,
05:27
official communication to the organization from top management pertaining to the items.
05:34
While this documentation is not specifically listed as mandatory, it is beneficial to the order process,
05:42
especially if you're in tangible evidence of top management being involved.
05:47
The mandatory information that is required
05:50
is the information security policy and the Ice Miss manual
05:55
in some cases thes air one document. But I prefer to keep these separate.
06:00
These will be covered in the following section in a bit more detail.
06:03
In those documents, there is a mandatory section pertaining to top management,
06:08
specifically their commitment
06:12
that pertains directly to a statement from top management, which formally depicts in writing
06:17
the management commitment to the achievement of the ice miss objectives
06:21
as well as to continually improve on the ice mess
06:26
in conjunction with the overall security posture of the organization.
06:36
Earlier, we mentioned a business case and how this can be beneficial to bringing top management on board with your eyes miss
06:44
and gaining their commitment.
06:47
Fantastic resource that one can use
06:51
is
06:53
a business case.
06:55
There is also an online resource
06:58
known as the I saw 27,001 Forum,
07:02
which is dedicated dishing information Resource is relating to ISO 27,001.
07:08
They have an example of a business case template in there. I so 27,001 Talk it.
07:15
Some of the items that you can include in your business case have been included. Yeah,
07:20
make sure your business case outlines the benefits of the ice mess,
07:25
which can include information security, risk reduction,
07:28
streamlining and securing off processes to leverage cost saving,
07:31
as well as providing trust to clients and stakeholders, which increases your brand value.
07:38
I like the cost of the isthmus.
07:41
Top management will want to know all the costs involved,
07:44
whether it's costs of bringing auditors involved.
07:46
Internal costs of resource time.
07:49
Whether or not additional tools, software or re sources are required
07:56
include a section on the return on investment.
08:00
A nice um s will yield some sort of benefit to your organization.
08:03
It is an important Thio quantify and frame this out for top management, so they understand that
08:09
any costs invested into this process will have some sort of yield long term
08:20
to summarize.
08:22
In this video we covered white top management commitment is important for the success of the Smiths and certification.
08:28
We also looked at ways in which top management can demonstrate their commitment.
08:35
We covered the documents that are required by the standard
08:39
and that this can prove top management commitment to an auditor.
08:43
We also briefly covered how a business case can help solve your ice means to top management
08:48
and bring them on board more easily.
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By