Moved a directory, changed some filenames
This commit is contained in:
parent
ae27a60bcf
commit
347706835e
195 changed files with 696 additions and 255 deletions
|
|
@ -1,42 +0,0 @@
|
|||
# ISO 27001 Top Management responsibilities
|
||||
|
||||
Based on the provided sources, particularly **ISO/IEC 27001 Clause 5** and **Clause 9.3**, specific responsibilities are assigned explicitly to **"Top Management"**. These are distinct from general "management" responsibilities (such as those in ISO 27002 Control 5.4), which apply to all levels of supervision (line managers, project managers, etc.).
|
||||
|
||||
The responsibilities **exclusive to Top Management** focus on strategic alignment, resource provision, and ultimate accountability for the ISMS. They include:
|
||||
### 1. Strategic Alignment and Policy Establishment
|
||||
|
||||
Only Top Management is explicitly required to:
|
||||
|
||||
- **Establish the Policy:** They must establish the information security policy.
|
||||
- **Ensure Strategic Compatibility:** They must ensure that the information security policy and objectives are compatible with the **strategic direction** of the organization.
|
||||
- **Ensure Process Integration:** They must ensure that ISMS requirements are integrated into the organization’s broader business processes.
|
||||
|
||||
### 2. Resource Provision
|
||||
|
||||
While other managers utilize resources, Top Management is exclusively responsible for **ensuring the resources needed** for the ISMS are available. This implies budgetary and organizational authority that lower management layers typically do not possess independently.
|
||||
|
||||
### 3. Assignment of Roles and Authority
|
||||
|
||||
Top Management has the exclusive duty to assign and communicate responsibilities and authorities within the organization. Specifically, they must assign the responsibility for:
|
||||
|
||||
- Ensuring the ISMS conforms to the standard.
|
||||
- **Reporting performance** of the ISMS back _to_ Top Management.
|
||||
|
||||
### 4. Management Review
|
||||
|
||||
Top Management is explicitly required to conduct the **Management Review** (Clause 9.3) at planned intervals. This is a formal evaluation of the ISMS's continuing suitability, adequacy, and effectiveness, which includes making decisions on:
|
||||
|
||||
- Changes to the ISMS.
|
||||
- Opportunities for continual improvement.
|
||||
|
||||
### 5. Ultimate Accountability
|
||||
|
||||
Clause 5.1 states that Top Management shall demonstrate leadership by "ensuring that the information security management system achieves its intended outcome(s)". While operational managers work towards this, the standard places the ultimate requirement of _ensuring_ success on Top Management.
|
||||
|
||||
### Comparison: What is _Not_ Exclusive to Top Management?
|
||||
|
||||
In contrast, **ISO 27002 Control 5.4** refers simply to "**Management** responsibilities" rather than "Top Management." The following tasks are responsibilities of _all_ management layers (line managers, supervisors), not exclusively Top Management:
|
||||
|
||||
- Briefing personnel on roles and responsibilities before granting access.
|
||||
- Ensuring personnel are provided with guidelines and achieve necessary awareness.
|
||||
- Ensuring personnel comply with terms and conditions of employment.
|
||||
Loading…
Add table
Add a link
Reference in a new issue