{"id":4528,"date":"2014-06-09T17:34:43","date_gmt":"2014-06-09T17:34:43","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/014\/06\/09\/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301\/"},"modified":"2025-07-09T15:18:32","modified_gmt":"2025-07-09T15:18:32","slug":"roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2014\/06\/09\/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301\/","title":{"rendered":"Roles and responsibilities of top management in ISO 27001 and ISO 22301"},"content":{"rendered":"<p>Did you know that, in most cases, failure to implement <a href=\"\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a> or <a href=\"\/27001academy\/what-is-iso-22301\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 22301<\/a> was directly related to the fact that top management did not want to assume their responsibilities for information security \/ business continuity in their companies?<\/p>\n<p>OK, you probably knew that. But, what are these responsibilities, and how do you get the management to start doing what they should?<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><\/p>\n<h2>Why is it that executives don\u2019t care?<\/h2>\n<p>As I argued in my article <a title=\"Management\u2019s view of information security\" href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2011\/05\/16\/managements-view-of-information-security\/\">Management\u2019s view of information security<\/a>, the primary concern of the top management is to ensure the long-term success of their company, increase profitability, control new initiatives, decrease the risks, etc.<\/p>\n<p>Therefore, to get executives\u2019 attention, you have to focus on business benefits \u2013 once they realize how information security or business continuity can contribute to, e.g., more revenues or decreased costs, to better efficiency or decreased penalties, then you will get their attention. Learn here how to achieve that: <a title=\"Four key benefits of ISO 27001 implementation\" href=\"\/27001academy\/knowledgebase\/iso-27001-implementation-checklist\/#benefits\" target=\"_blank\" rel=\"noopener noreferrer\">Four key benefits of ISO 27001 implementation<\/a> and <a title=\"ISO 22301 benefits: How to get your management\u2019s approval for a business continuity project\" href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/iso-22301-benefits-how-to-get-your-managements-approval-for-a-business-continuity-project\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 22301 benefits: How to get your management\u2019s approval for a business continuity project<\/a>.<\/p>\n<p>Once they accept the concept of business benefits, you have to align your Information Security Management System (ISMS) \/ Business Continuity Management System (BCMS) with your company\u2019s strategic objectives \u2013 that is, you have to find how your information security or business continuity can support your business strategy. For example, if you were a hosting company, one of your strategic objectives might be higher availability of your servers than what the competitors offer \u2013 ISMS and\/or BCMS are very relevant for such an objective because they will directly decrease the number of incidents and therefore increase the level of availability.<br \/>\n<div class=\"responsive-video-wrapper\"><iframe loading=\"lazy\" title=\"What CEOs need to know about ISO 27001?\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/7pzJ7QRHPOY?feature=oembed&#038;rel=0\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/div><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2>So, what do executives need to do?<\/h2>\n<p>Once your top management understands why ISO 27001 or ISO 22301 are important, and they find out how these standards can directly support the company strategy, you can ask them to do something concrete about it.<\/p>\n<p>According to ISO 27001\/ISO 22301, the responsibilities of the top management are as follows:<\/p>\n<ul>\n<li><strong>Publish the top-level policy<\/strong> \u2013 the top management needs to publish the <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=management-system&amp;doc=information-security-policy\" target=\"_blank\" rel=\"noopener\">Information security policy<\/a> \/ <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-22301-premium-documentation-toolkit\/?rel=business-continuity&amp;doc=business-continuity-policy\" target=\"_blank\" rel=\"noopener\">Business continuity policy<\/a>, in which they will define the main intention about information security \/ business continuity. See also <a title=\"Information security policy \u2013 how detailed should it be?\" href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2010\/05\/26\/information-security-policy-how-detailed-should-it-be\/\">Information security policy \u2013 how detailed should it be?<\/a> and <a title=\"The purpose of Business continuity policy according to ISO 22301\" href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2013\/06\/04\/the-purpose-of-business-continuity-policy-according-to-iso-22301\/\">The purpose of Business continuity policy according to ISO 22301<\/a>.<\/li>\n<li><strong>Determine the objectives<\/strong> \u2013 through the objectives, the top management defines in which direction ISMS\/BCMS need to be steered, and the objectives also provide a clear measure of whether the ISMS\/BCMS is successful. Find out more here: <a title=\"ISO 27001 control objectives \u2013 Why are they important?\" href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2012\/04\/10\/iso-27001-control-objectives-why-are-they-important\/\">ISO 27001 control objectives \u2013 Why are they important?<\/a> and <a title=\"Setting the business continuity objectives in ISO 22301\" href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2014\/02\/17\/setting-the-business-continuity-objectives-in-iso-22301\/\">Setting the business continuity objectives in ISO 22301<\/a>.<\/li>\n<li><strong>Determine the main responsibilities<\/strong> \u2013 top management needs to define who is in charge of various elements related to the implementation and operation of the ISMS and BCMS \u2013 in most cases, they will appoint the Chief Information Security Officer or Business continuity coordinator, but the top management also needs to assign other responsibilities as well; the top management needs to support all those managers, and ultimately make sure they have done their jobs. See also <a title=\"Chief Information Security Officer (CISO) \u2013 where does he belong in an org chart?\" href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2012\/09\/11\/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart\/\">Chief Information Security Officer (CISO) \u2013 where does he belong in an org chart?<\/a><\/li>\n<li><strong>Communicate the importance<\/strong> \u2013 since executives are the ones who have the most influence in an organization, if they do not explain to all employees why ISMS\/BCMS is important, then no one will believe they need to do something about it, especially if top managers do not \u201cwalk the talk,\u201d i.e. comply with the security or business continuity rules themselves.<\/li>\n<li><strong>Provide all the necessary resources<\/strong> \u2013 without money and without enough time of employees, the ISO 27001 or ISO 22301 project will fail \u2013 this is where the support from the top management must become very real and tangible. From my experience, this is exactly the point where the management usually fails \u2013 they usually redirect the resources into other projects.<\/li>\n<li><strong>Perform management review<\/strong> \u2013 this is where the top management needs to review everything that has happened within their ISMS\/BCMS, with one of the primary tasks being to conclude whether the objectives have been achieved. See also <a title=\"Why is management review important for ISO 27001 and ISO 22301?\" href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2014\/03\/03\/why-is-management-review-important-for-iso-27001-and-iso-22301\/\">Why is management review important for ISO 27001 and ISO 22301?<\/a><\/li>\n<\/ul>\n<p>So, your top management is really crucial for the success of your ISO 27001\/ISO 22301 project. But, don\u2019t ask them to do anything before you convince them that ISO 27001 or ISO 22301 is good for the business, because otherwise, you will only waste your time. And starting the project without real support from your executives is an even bigger waste of time.<\/p>\n<p><em>To implement ISO 27001 &amp; ISO 22301 easily and efficiently, use our <\/em><a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-22301-premium-documentation-toolkit\/\" target=\"_blank\" rel=\"noopener\">ISO 27001 &amp; ISO 22301 Premium Documentation Toolkit<\/a><em> that provides step-by-step guidance and all documents for full ISO 27001 &amp; ISO 22301 compliance.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Did you know that, in most cases, failure to implement ISO 27001 or ISO 22301 was directly related to the fact that top management did not want to assume their responsibilities for information security \/ business continuity in their companies? OK, you probably knew that. But, what are these responsibilities, and how do you get &#8230;<\/p>\n","protected":false},"author":26,"featured_media":4529,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[187,380,381,405,496,522,539],"class_list":["post-4528","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-management-review","tag-iso-22301","tag-iso-27001","tag-isms","tag-bcms","tag-information-security-policy","tag-objectives"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4528","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=4528"}],"version-history":[{"count":2,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4528\/revisions"}],"predecessor-version":[{"id":104334,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4528\/revisions\/104334"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/4529"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=4528"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=4528"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=4528"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}