Introducing ISO 27001 Clause 5: Leadership
ISO 27001 Clause 5 highlights the pivotal role of leadership in an ISMS. An ISMS will be “checkbox compliance” and ineffective without management backing.
For SMEs, Clause 5 of 27001 often means getting the owner, CEO, or top management team actively involved in information security.
This guidance focuses on Clause 4 but is part of the wider introduction to ISO 27001’s Clauses. Please click the link below for a higher-level view and context of all the clauses.
Read on below to learn what it means and how to implement it.
Explore Each ISO Clause in More Detail by Selecting One to View
Table of Contents
What are the Subclauses of ISO 27001 Clause 5: Leadership?
Three main subclauses outline how an organisation should approach leadership. They are;
- 5.1 Leadership & Commitment
- 5.2 Policy
- 5.3 Organisational Roles, Responsibilities and Authorities
Clause 5.1 – Leadership and Commitment
Clause 5.1 requires top management to demonstrate leadership and commitment for the ISMS.
What does that mean practically?
It means senior leaders should:
- Take accountability for the ISMS’s effectiveness. They own it. For instance, a CEO should be able to say, “Information security is important here, and I’m ultimately accountable for it.”
- Ensure the information security policy and objectives are established and aligned with the organisation’s direction. Management needs to integrate ISMS requirements into business processes, not treat them as an isolated IT project.
- Provide the necessary resources for the ISMS. If the security team says “to mitigate this risk we need to implement X,” leadership should consider and allocate budget or personnel as appropriate.
- Communicate the importance of information security and conformance to ISMS requirements. Leaders should set the tone. This could be done through emails to staff about security, discussions in all-hands meetings, or the inclusion of ISMS performance in management discussions.
- Support roles and collaborate. They need to empower the person in charge of the ISMS (like an Information Security Manager) and other relevant roles and remove obstacles to their duties.
- Promote continual improvement. Leaders shouldn’t see ISMS as “we did it, check the box” but encourage ongoing security enhancement.
In a small company, leadership and commitment might be demonstrated by the managing director personally kicking off the ISO 27001 project, regularly checking progress, and being present during key meetings (like risk assessment workshops or the management review).
It could also be as straightforward as the CEO addressing all employees with a statement such as “we are implementing ISO 27001 because we value our customers’ trust, and we expect everyone to follow the new security policies.”
The main point: the ISMS must have visible and genuine support from the top. Auditors often interview top management to gauge their commitment.
If an MD or CEO is clueless about the ISMS or treats the audit as a nuisance, that’s a red flag. Conversely, if they can explain why security is important and the ISMS goals, it demonstrates compliance with 5.1.
ISO 27001 auditors want to see that senior leaders feel accountable and don’t consider themselves “above” the ISMS policies.
My FREE Information Security Toolkit
Every mandatory document template
ISO 27001 Compliant
Clause 5.2 – Policy
ISO 27001 Clause 5.2 requires the establishment of an information security policy.
This is a high-level document, typically a brief policy statement from top management, that sets the direction for information security in the organisation.
The standard says the policy should:
- Be appropriate to the organisation’s purpose (so it reflects your business context and needs).
- Include commitments to satisfy applicable requirements (like laws, customer requirements) related to information security.
- Include a commitment to improve the ISMS continually.
- Include the objectives of the ISMS or the framework for managing them.
In simpler terms, the policy should explain why information security is important to the organisation and what it intends to do about it.
Example: A policy might include a statement from the CEO such as: “This company is committed to preserving the confidentiality, integrity, and availability of all forms of information within our scope. We will meet all regulatory and contractual security obligations, manage risks through an ISMS per ISO 27001, and continuously improve our security posture.” It can be a one-page statement.
The policy should also be approved by top management (often literally signed by the CEO or equivalent), a strong signal of leadership commitment.
Additionally, the policy must be communicated within the organisation and be available to interested parties as appropriate.
In practice, you should distribute it to employees (via email, intranet, training, posters, etc.) and possibly share it externally (some companies publish a sanitised version of their policy or at least make a statement on their website for transparency).
For an SME, don’t overthink the policy – it doesn’t have to be long.
Clear, concise, and endorsed by the boss is the way to go.
Tip: I highly recommend keeping the policy simple. Too often, the ones I see are like legal jargon, difficult for people to understand and, therefore, comply with, which is the primary purpose of the policy—compliance.
Make sure employees are aware of it; sometimes, auditors will ask a random employee if they’ve seen the information security policy or know what it says generally. Often, HR have systems that can track who has ‘read and accepted’ a policy, which is great to track as an ISMS KPI for performance later.
Ultimately, the Information Security Policy document of Clause 5.2 is mandatory to have documented. Auditors will ask to see it and check that it meets the criteria (commitments, etc.) and that it’s current (e.g., version controlled, signed in this year).
Clause 5.3 – Organisational Roles, Responsibilities and Authorities
Clause 5.3 requires top management to ensure that roles and responsibilities for the ISMS are assigned and communicated. Essentially, everyone should know what they are responsible for in the ISMS. Important specific roles include:
| Role | Description |
|---|---|
| ISMS Project Owner/Manager | Often a dedicated role like an Information Security Manager or IT Manager who is given the authority to run and coordinate the ISMS. This person often interacts with the auditor and coordinates implementation across departments. |
| Security Team or Committee | It is really important to have an ISMS committee, project team or a few key people (department reps) who take on ISMS duties as a team. This gives you somewhere to take issues and decisions and is critical for progressing your ISMS smoothly. |
| Asset Owners / Risk Owners | Identify who owns assets. For example; who owns personnel data and sets the rules and policies around it appropriately. |
| General Staff Responsibilities | Outlining major responsibilities of staff that everyone should understand and adhere to. These maybe segmented into groups, such as ‘managers’ and ‘contractors’, etc. |
| Specific roles like Internal Auditor | Who will perform internal audits? It could be someone internal trained for it, or an external consultant, but responsibility should be assigned. |
| Incident Response Roles | Who manages security incidents if they occur, etc., should be clear (though this might come from Annex A processes, Clause 5.3 ensures roles are allocated). |
The clause also says that those in roles must have the authority to carry out their responsibilities. It’s pointless to make someone responsible for security if they can’t make changes or enforce policies, for instance.
In a small business, roles may overlap – that’s okay, but clarity is key. You might formally document roles & responsibilities in an “ISMS Roles and Responsibilities” document or within job descriptions.
At minimum, ensure that by the time of the audit, it’s crystal clear who the ISMS leader is and that other staff know their part. A common way to implement this is via an organisation chart for the ISMS or a RACI matrix that lists tasks vs. people.
Auditor’s perspective: They will check that responsibilities are indeed assigned. They might review an org chart or responsibility matrix, and they will confirm that an ISO 27001 coordinator or lead is appointed (auditors often like to interact with that person).
They might also interview a few people: e.g., ask the CEO “who is in charge of day-to-day ISMS management?” or ask some department head “what is your responsibility in the ISMS?” to ensure effective communication of roles.
If your documentation says Alice is responsible for risk assessment, but Alice doesn’t know that, that’s a problem.
Tip: The ISO 27001 standard says only two responsibilities are mandatory: one to ensure the ISMS conforms to the standard and one to report on the ISMS’s performance to management. If these are the only roles you define, then I (and any auditor) would argue that you haven’t considered the R&Rs thoroughly enough.
A subtle point: Clause 5.3 ties to Clause 7.2 (Competence) – it’s not enough to assign someone; you must also ensure they’re competent (Clause 7.2) and Clause 7.3 (Awareness) – ensure they know their role. So these clauses interlink.
What are the Documentation and Outputs for ISO 27001 Clause 5?
Information Security Policy (5.2)
A formal, approved policy document signed by top management.
This is a required document and will be one of the first things an auditor asks for. Also, ensure it has been communicated (you can show an email blast, an intranet posting, or HR records as evidence).
Organisational Chart or Roles Document (5.3)
Having a document outlining ISMS roles and responsibilities is very helpful. This could be part of an ISMS manual or a separate roles & responsibilities matrix.
While not explicitly mandated as a separate document, auditors expect to see clearly defined roles. They might also accept job descriptions or an org chart as evidence.
The output here is clarity, so produce something written that you can show the auditor, like “Security roles: John Doe (CTO) is the ISMS champion, Jane Smith (IT Manager) is the ISMS manager responsible for coordination, Bob (HR) and Alice (Dev) are on the ISMS committee, etc.”
Evidence of Management Commitment (5.1)
This one is a bit intangible to “document,” but there could be evidence like management meeting minutes discussing ISMS, emails from the CEO about security, budget allocations for security in planning documents, etc.
Some companies draft a brief “Management Commitment Statement” signed by the CEO (essentially reiterating what’s in the policy and that they endorse the ISMS). It’s not required, but it’s nice evidence.
At minimum, the signature on the policy and participation in management review (Clause 9.3) are evidence of commitment.
Meeting records
Keep notes or attendance logs if top management has been involved in ISMS meetings (say, a kick-off meeting or periodic ISMS project reviews). These can show the auditor that leadership was actively involved and informed.
Training records for top management
If you gave a briefing or training to execs about their responsibilities, that record can be useful to show they’ve been made aware (ties into awareness).
What Do Auditors Look For in Clause 5
Auditors will scrutinise Clause 5 to ensure the ISMS isn’t just an “IT initiative” without real management buy-in. Typical things they check:
Top Management Interview
Often, the auditor will request a short interview with one or more top managers (CEO, COO, etc.) to gauge their commitment. They may ask questions like “Why did you decide to pursue ISO 27001?” “How do you as a leader stay informed about the ISMS progress and results?” “Can you describe some information security objectives for the company?” The purpose is to confirm that leadership is aware and supportive. They don’t expect the CEO to know every control, but the CEO should know key points (policy, objectives, and importance of ISMS).
Information Security Policy
They will review the policy to ensure it meets ISO requirements (commitment to requirements and improvement) and is appropriate. They’ll check that it’s approved (signed) and that it has been communicated (they might ask employees about it or ask how it’s distributed).
Awareness of Policy
Auditors might do spot checks by asking a few staff what the InfoSec policy says at a high level or where to find it. A common question: “Have you been told about the company’s information security policy, and what does it mean to you?” They want to see that the policy isn’t just on a shelf.
Roles and Responsibilities
The auditor will verify that an ISMS governance structure exists.
They might ask for an org chart of ISMS roles or something similar. If you have a document, they’ll review it and possibly interview some of those people to ensure they understand their role.
For example, if your policy says, “The Information Security Manager is responsible for coordinating risk assessments,” the auditor might ask that manager, “How do you carry out risk assessments, and who is involved?” to see that they are fulfilling that role.
Resource Provision
Since leadership must ensure resources, auditors may ask how management provides them.
They could ask, “How do you decide on budget for information security improvements?” or “Were there any instances where a needed security measure was approved by management?”
This ties into evidence—e.g., a project approval or budget line for security can show this.
Management not exempt
A savvy auditor may also try to see if executives follow the rules.
For instance, if the policy applies to all employees, does the CEO also abide by it (like locking their screen, attending security awareness training, etc.)?
Clause 5.1 implies leadership should set an example (no one is above the policies). If there’s any indication that a director refused to follow a security procedure, that could be a nonconformity. It’s rare but something to be mindful of culturally.
Case Study
In one company I was consulting with, the auditor asked to see the information security policy and found it nicely written, signed by the CEO, and published on the intranet.
Then, during interviews, the auditor asked a mid-level manager, “How do you know management is committed to this ISMS?” The manager referenced that the CEO sent quarterly updates that included security elements and that the CTO led a monthly security team meeting. The auditor also asked the CEO what the biggest security risks to the business were—the CEO was able to mention a couple of relevant points (showing he was briefed and aware) and reach for the risk log.
These interactions were in-depth but satisfied the auditor that Clause 5 was well-implemented: leadership was visibly engaged, not just nominally.
FAQs
Why is leadership so important in ISO 27001 Clause 5?
Clause 5 puts leadership at the centre of the ISMS. Without visible and active support from top management, an ISMS risks becoming a tick-box exercise rather than something that truly protects the business.
Leadership ensures that information security is aligned with strategic goals, properly resourced, and taken seriously across the organisation. Auditors expect to see senior leaders engaged, not just signatories to a policy.
What documents are required for Clause 5?
The only mandatory document under Clause 5 is the Information Security Policy (Clause 5.2), which must be formally approved and communicated. However, auditors will also expect to see:
– Defined roles and responsibilities (Clause 5.3)
– Evidence of management commitment (Clause 5.1) such as meeting minutes, CEO communications, or budget approvals
– Possibly training or awareness records for top management
These show that leadership is not only on board but also actively involved.
What’s the best way to assign ISMS roles and responsibilities?
You don’t need a complex org chart, but you do need clarity.
Assign key ISMS roles (e.g., ISMS Manager, Internal Auditor, Risk Owner) and make sure those people are aware of and capable of fulfilling their responsibilities.
This could be documented in a RACI matrix, ISMS manual, job descriptions, or a dedicated roles document. Auditors will want to see that people aren’t just named in documents — that they actually know their roles and what they are responsible for.
Explore Each ISO Clause in More Detail by Selecting One to View
Further Reading
Get a copy of ISO 27001 from here.
