Analysis of Non-Conformities in ISO 27001 - Clause 5
In common with all the Annex SL standards leadership is fundamental to operating a successful management system. All the Annex SL standards require top management to set policy and assign resources. This is no different to what top management would be doing for the overall organization. It’s in everyone's interest that top management is well versed in the requirements of Clause 5.
Clause 5 is where top management demonstrate their commitment to the ISMS, even if they have delegated its management. Demonstrate is the key word here - 8% of the Non-Conformities (NC) in Clause 5 arise because our auditors didn't have confidence that top management were committed to the ISMS.
This was usually because the ISMS policy was not approved by top management, they didn't make themselves available for interview, or even worse, when they were interviewed knew little about the ISMS.
The auditor will need to interview top management (or top management at an appropriate level) and will discover if the top management is committed to information security.
You'll need to make sure that everything is lined up for the top management interview: 14% of the NCs were caused by the ISMS policy not being compatible with the organization's strategy, which could suggest a lack of top management involvement. It's worth considering what the auditor typically sees in those circumstances.
Clauses 5.1a and 5.2a both require the policy to fit with the organization. Having already reviewed the organization under Clause 4 the auditor will have a good understanding of the organization, what it does and why it does it. The auditor will require that top management describe the organization's strategic direction. It will be obvious to our auditor if the information security policy doesn't support the overall purpose of the organization.
Information security objectives don't appear until Clause 6.2, yet your top management is expected to know them. This in turn implies that your top management should be aware of your risk assessment and risk treatments. They then should be able to discuss objectives with authority.
5.1d should be easy for the top management to demonstrate - your internal and supplier communications about the importance of information security is one way to show the auditor how you meet the requirement. Yet we do have awkward moments when the top management just don't know, usually because they've delegated it all to the ISMS manager.
There's some mandatory inclusions to the policy which are listed in 5.2b, c & d. Yet 25% of Clause 5 NCs occur because those requirements are missing from the policy.
5.3 Organizational roles, responsibilities and authorities
A failure to assign roles and responsibilities for information security frequently causes NCs. We usually uncover this when reviewing documentation and interviewing people. This is sometimes attributed to the policy not being communicated which is also a cause of NCs. It's important not to conflate information security with ISMS management. The usual mantra is that, like health and safety, everyone is responsible for information security. Whereas not everyone will be involved managing the ISMS.
Sometimes a lack of leadership commitment manifests in a different clause but is directly attributed to a Clause 5 failure. A failure to take action following the management review in Clause 9 can be an NC against Clause 5.1c - ensuring resources are available, or 5.1e - ensuring that the management system achieves its intended outcomes.
In my next blog I'll be looking at the typical reasons why non-conformities arise in Clause 6.1.
Authored by: Tim Pinnell, NQA Information Security Assurance Manager