Information Security Management
ISO 27001 Clause 5: Leadership
ISO 27001 Clause 5 highlights the leadership role in an ISMS. An ISMS will be “checkbox compliance” and ineffective without senior management backing.
Leadership actions under Clause 5 must align with the organisation’s purpose and strategic direction, ensuring that information security objectives support the business’s overall goals.
Here, I’ll walk you through it step by step.
Includes all the mandatory document templates — free, no commitment
Verified toolkit reviews:
Read on below to learn what it means and how to implement it.
Table of Contents
For SMEs, Clause 5 of 27001 often means involving the owner, CEO, or top management team in information security. They can’t just assign it to a junior team member as a compliance activity and never think about it again. They must demonstrate ongoing involvement, awareness and guidance.
This guidance focuses on Clause 5 but is part of the wider introduction to ISO 27001’s Clauses. Please click the link below for a higher-level view and context of all the clauses.
What are the Subclauses of ISO 27001 Clause 5: Leadership?
Three main subclauses outline how an organisation should approach leadership.
They are;
Clause 5.1 – Leadership and Commitment
Clause 5.1 requires ‘top management’ to demonstrate leadership and commitment for the information security management system (ISMS).
What does that mean practically?
It means senior leaders should:
- Ensure the information security policy and objectives are established and aligned with the organisation’s direction. Management needs to integrate ISMS requirements into the organisation’s processes, ensuring that security controls and measures are embedded rather than treated as an isolated IT project.
- Provide the necessary resources and ensure adequate support for the ISMS. If the security team says, “to mitigate this risk, we need to implement X,” leadership should consider and allocate budget, personnel, or other resources as appropriate to support the information security management system.
- Communicate the importance of information security and conformance to ISMS requirements. Leaders should set the tone. This could be done through emails to staff about security, discussions in all-hands meetings, or the inclusion of ISMS performance in management discussions. Actively engaging with staff helps foster a strong security culture and promotes information security awareness throughout the organisation.
- Support roles and collaborate. They need to empower the person in charge of the ISMS (like an Information Security Manager), supporting persons, and other relevant management roles, and remove obstacles to their duties. Clearly defining key roles and involving the leadership team ensures the ISMS is effective.
- Promote continual improvement. Leaders shouldn’t see ISMS as “we did it, check the box” but encourage ongoing security enhancement. Regular management reviews and evaluations help ensure the management system and the ISMS achieve their intended outcomes.
In a small company, leadership and commitment might be demonstrated by the managing director personally kicking off the ISO 27001 project, regularly checking progress, and being present at key meetings (such as risk assessment workshops or the management review), with senior management and human resources actively participating in ISMS activities.
It could also be as straightforward as the CEO addressing all employees with a statement such as “we are implementing ISO 27001 because we value our customers’ trust, and we expect everyone to follow the new security policies.” Addressing information security risks and achieving reduced risk through effective information security management are key parts of this commitment.
The main point: the ISMS must have visible and genuine support from the top.
Auditors, including the external auditor, often interview top management to gauge their commitment and require evidence of leadership’s involvement.
If an MD or CEO is clueless about the ISMS or treats the audit as a nuisance, that’s a red flag. Conversely, if they can explain why security is important, the ISMS goals, and how the information security management system supports the protection of information assets, it demonstrates compliance with 5.1.
ISO 27001 auditors want to see that senior leaders feel accountable and don’t consider themselves “above” the ISMS policies.
Clause 5.2 – Policy
ISO 27001 Clause 5.2 requires the establishment of an Information Security Policy.
This is a high-level document, typically a brief policy statement from top management, that sets the direction for information security in the organisation. It may then link to subpolicies on the acceptable use of equipment or Bring-Your-Own-Device (BYOD) policies.
The Information Security Policy effectively is the parent policy that every employee, contractor and supplier should be issued with so they can review it and know how the organisation approaches security.
The standard says the policy should:
- Be appropriate to the organisation’s purpose (so it reflects your business context and needs).
- Include commitments to satisfy applicable requirements (like laws, customer requirements) related to information security.
- Include a commitment to continually improve the ISMS.
- Include the objectives of the ISMS or the framework for managing them.
In simpler terms, the policy should explain why information security is important to the organisation and what it intends to do about it. Information security policies are essential for guiding employee and stakeholder behaviour, ensuring compliance, and supporting the overall security management system, ISMS, by providing a formal statement of the organisation’s approach to information security.
Example: A policy might include a statement from the CEO such as: “This company is committed to preserving the confidentiality, integrity, and availability of all forms of information within our scope. We will meet all regulatory and contractual security obligations, manage risks through an ISMS per ISO 27001, and continuously improve our security posture.”
The policy should also be approved by top management (often literally signed by the CEO or equivalent), a strong signal of leadership commitment (per the above example).
Additionally, the policy must be communicated within the organisation and be available to interested parties as appropriate.
In practice, you should distribute it to employees (via email, intranet, training, posters, etc.) and possibly share it externally (some companies publish a sanitised version of their policy or at least make a statement on their website for transparency).
For a smaller organisation, don’t overthink the policy—it doesn’t have to be long.
Clear, concise, and endorsed by the boss is the way to go.
My toolkit below contains policies, leadership statements, scope documents & workbooks to help you.
Get every ISO 27001 document today.
Complete templates pack: policies, procedures, Statement of Applicability, risk register, and records. Updated for ISO 27001:2022
- 130 Word/Excel templates, ready to edit
- Auditor notes: what evidence to show
- Instant download, licence for your organisation
Instant download · 30-day upgrade credit to the Course
Tip: I highly recommend keeping the policy simple. Too often, the ones I see are like legal jargon, difficult for people to understand and, therefore, comply with, which is the primary purpose of the policy—compliance.
Make sure employees are aware of it; sometimes, auditors will ask a random employee whether they’ve seen the information security policy or what it generally says. Often, HR has systems that can track who has ‘read and accepted’ a policy, which is great for tracking as an ISMS KPI for performance later.
Ultimately, the Information Security Policy document, Clause 5.2, must be documented. Auditors will ask to see it and check that it meets the criteria (commitments, etc.) and that it’s current (e.g., version controlled, signed in this year).
Clause 5.3 – Organisational Roles, Responsibilities and Authorities
Clause 5.3 requires top management to ensure that roles and responsibilities for the ISMS are assigned and communicated.
Essentially, everyone should know what they are responsible for in the ISMS.
Examples of ISO 27001 Roles & Responsibilities
| Role | Description |
|---|---|
| ISMS Project Owner/Manager | Often a dedicated role like an Information Security Manager or IT Manager who is given the authority to run and coordinate the ISMS. This person often interacts with the auditor and coordinates implementation across departments. |
| Security Team or Committee | It is really important to have an ISMS committee, project team or a few key people (department reps) who take on ISMS duties as a team. This gives you a place to raise issues and make decisions, and is critical for advancing your ISMS smoothly. |
| Asset Owners / Risk Owners | Who will perform internal audits? It could be someone internally trained for it, or an external consultant, but responsibility should be assigned. |
| General Staff Responsibilities | Outlining the major responsibilities of staff that everyone should understand and adhere to. These may be segmented into groups, such as ‘managers’ and ‘contractors’, etc. |
| Specific roles like Internal Auditor | There are a few roles that need to be assigned (or outsourced) for your ISMS, such as the internal auditor—someone independent who can review the compliance of your ISMS annually. |
| Incident Response Roles | Who manages security incidents if they occur, etc., should be clear (though this might come from Annex A processes, Clause 5.3 ensures roles are allocated). |
Clause 5.3 also states that those in roles must have the authority to fulfil their responsibilities. It’s pointless to make someone responsible for security if they can’t make changes or enforce policies, for instance.
In a small business, roles may overlap – that’s okay, but clarity is key. You might formally document roles & responsibilities in an “ISMS Roles and Responsibilities” document or within job descriptions.
At a minimum, ensure that by the time of the audit, it’s crystal clear who the ISMS leader is and that other staff know their part. A common way to implement this is via an organisation chart for the ISMS or a RACI matrix that lists tasks vs. people.
Auditor’s perspective: They will check that responsibilities are indeed assigned. They might review an org chart or a responsibility matrix and confirm that an ISO 27001 coordinator or lead has been appointed (auditors often like to interact with that person).
They might also interview a few people: e.g., ask the CEO, “Who is in charge of day-to-day ISMS management?” or ask some department head, “What is your responsibility in the ISMS?” to ensure effective communication of roles.
If your documentation says Alice is responsible for risk assessment, but Alice doesn’t know that, that’s a problem.
Tip: The ISO 27001 standard says only two responsibilities are mandatory: one to ensure the ISMS conforms to the standard and one to report on the ISMS’s performance to management. If these are the only roles you define, then I (and any auditor) would argue that you haven’t considered the R&Rs thoroughly enough.
A subtle point: Clause 5.3 ties to Clause 7.2 (Competence) – it’s not enough to assign someone; you must also ensure they’re competent (Clause 7.2) and Clause 7.3 (Awareness) – ensure they know their role. So these clauses interlink.
What are the Documentation and Outputs for ISO 27001 Clause 5?
Evidence of Management Commitment (5.1)
This one is a bit intangible to “document,” but there could be evidence like management meeting minutes discussing ISMS, emails from the CEO about security, budget allocations for security in planning documents, etc.
Some companies draft a brief “Management Commitment Statement,” signed by the CEO (essentially reiterating what’s in the policy and confirming their endorsement of the ISMS). It’s not required, but it’s nice evidence.
At a minimum, the signature on the policy and participation in management review (Clause 9.3) are evidence of commitment.
Meeting records
Keep notes or attendance logs if top management has been involved in ISMS meetings (say, a kick-off meeting or periodic ISMS project reviews). These can show the auditor that leadership was actively involved and informed. Clause 9.3.3 Management Review Results actually address this, but it’s highly relevant to demonstrating management commitment to the ISMS.
Information Security Policy (5.2)
A formal, approved policy document signed by top management.
This is a required document and will be one of the first things an auditor asks for. Also, ensure it has been communicated (you can show an email blast, an intranet posting, or HR records as evidence).
Organisational Chart or Roles Document (5.3)
Having a document outlining ISMS roles and responsibilities is very helpful. This could be part of an ISMS manual or a separate roles & responsibilities matrix.
While not explicitly mandated as a separate document, auditors expect to see clearly defined roles. They might also accept job descriptions or an org chart as evidence.
The output here is clarity, so produce something written that you can show the auditor, like “Security roles: John Doe (CTO) is the ISMS champion, Jane Smith (IT Manager) is the ISMS manager responsible for coordination, Bob (HR) and Alice (Dev) are on the ISMS committee, etc.”
What Do Auditors Look For in Clause 5
When preparing for ISO 27001 Clause 5, it’s essential to be ready for both external audits and the internal audit process. Demonstrating leadership commitment and providing clear evidence of compliance are critical for success in both types of audits.
Auditors will scrutinise Clause 5 to ensure the ISMS isn’t just an “IT initiative” without real management buy-in. Typical things they check:
Top Management Interviews
Often, the auditor will request a short interview with one or more top managers (CEO, COO, etc.) to gauge their commitment. They may ask questions like “Why did you decide to pursue ISO 27001?” “How do you, as a leader, stay informed about the ISMS progress and results?” “Can you describe some information security objectives for the company?”
The purpose is to confirm that leadership is aware and supportive. They don’t expect the CEO to know every control, but the CEO should know key points (policy, objectives, and importance of ISMS).
Information Security Policy Approval & Awareness Checks
They will review the policy to ensure it meets ISO requirements (commitment to requirements and improvement) and is appropriate. They’ll check that it’s approved (signed) and that it has been communicated (they might ask employees about it or ask how it’s distributed).
Auditors might do spot checks by asking a few staff what the InfoSec policy says at a high level or where to find it. A common question: “Have you been told about the company’s information security policy, and what does it mean to you?” They want to see that the policy isn’t just on a shelf.
Roles and Responsibilities Checks
The auditor will verify that an ISMS governance structure exists.
They might ask for an org chart of ISMS roles or a similar document. If you have a document, they’ll review it and possibly interview some of those people to ensure they understand their role.
For example, if your policy says, “The Information Security Manager is responsible for coordinating risk assessments,” the auditor might ask that manager, “How do you carry out risk assessments, and who is involved?” to see that they are fulfilling that role.
Resource Provision
Since leadership must ensure resources, auditors may ask how management provides them.
They could ask, “How do you decide on a budget for information security improvements?” or “Were there any instances where a needed security measure was approved by management?”
This ties into evidence—e.g., a project approval or budget line for security can show this.
Management not exempt
A savvy auditor may also try to see if executives follow the rules.
For instance, if the policy applies to all employees, does the CEO also abide by it (like locking their screen, attending security awareness training, etc.)?
Clause 5.1 implies leadership should set an example (no one is above the policies). If there’s any indication that a director refused to follow a security procedure, that could be a nonconformity. It’s rare, but something to be mindful of culturally.
Case Study
In one company I was consulting with, the auditor asked to see the information security policy and found it nicely written, signed by the CEO, and published on the intranet.
Then, during interviews, the auditor asked a mid-level manager, “How do you know management is committed to this ISMS?” The manager referenced that the CEO sent quarterly updates that included security elements and that the CTO led a monthly security team meeting. The auditor also asked the CEO what the biggest security risks to the business were—the CEO was able to mention a couple of relevant points (showing he was briefed and aware) and reach for the risk log.
These interactions were in-depth but satisfied the auditor that Clause 5 was well-implemented: leadership was visibly engaged, not just nominally.
FAQs
Why is leadership so important in ISO 27001 Clause 5?
Clause 5 puts leadership at the centre of the ISMS. Without visible and active support from top management, an ISMS risks becoming a tick-box exercise rather than something that truly protects the business.
Leadership ensures that information security is aligned with strategic goals, properly resourced, and taken seriously across the organisation. Auditors expect to see senior leaders engaged, not just signatories to a policy.
What documents are required for Clause 5?
The only mandatory document under Clause 5 is the Information Security Policy (Clause 5.2), which must be formally approved and communicated. However, auditors will also expect to see:
– Defined roles and responsibilities (Clause 5.3)
– Evidence of management commitment (Clause 5.1), such as meeting minutes, CEO communications, or budget approvals
– Possibly training or awareness records for top management
These show that leadership is not only on board but also actively involved.
What’s the best way to assign ISMS roles and responsibilities?
You don’t need a complex org chart, but you do need clarity.
Assign key ISMS roles (e.g., ISMS Manager, Internal Auditor, Risk Owner) and make sure those people are aware of and capable of fulfilling their responsibilities.
This could be documented in a RACI matrix, ISMS manual, job descriptions, or a dedicated roles document. Auditors will want to see that people aren’t just named in documents — that they actually know their roles and what they are responsible for.
Further Reading
Get a copy of ISO 27001 from here.
Includes all the mandatory document templates — free, no commitment
Verified toolkit reviews: