Skip to content

Dated: 05-11-2024

Ch01. what is Management Commitment

  • Management commitment is the expression of the intent, relevant actions, and allocation of sufficient resources to ensure the InfoSec program is properly implemented
  • ISO2700:2013 (ISMS)
    • Clause 5.1:
      • Policy and objectives are established (compatible with strategic direction)
      • Integration of ISMS requirements into processes
      • Resources
      • Communicating importance
      • Intended outcomes are achieved
      • Directing and supporting persons
      • Promoting continual improvement
      • Supporting other management roles
  • "Tone of the top"
    • Management closely watches the actions of executive leadership (culture)
    • The importance given to InfoSec by the executive leadership becomes the minimum threshold for rest of the organization
  • In practice
    • Security policy
    • Security responsibility delegated to head (CISO) or dept
    • Security steering committee (board level)
    • Quarterly or frequent management reviews of information security program