Leadership and Commitment, part a)
Top management shall demonstrate leadership and commitment with respect to the information security management system by:ensuring the information security policy and the information security objectives are established and compatible with the strategic direction of the organization.
- GOV-01 - Cybersecurity & Data Protection Governance Program
- GOV-02 - Publishing Cybersecurity & Data Protection Documentation
Leadership and commitment, part b)
Top management shall demonstrate leadership and commitment with respect to the information security management system by: ensuring the integration of the information security management system requirements into the organization's processes.
Leadership and commitment, part c)
Top management shall demonstrate leadership and commitment with respect to the information security management system by: ensuring that the resources needed for the information security management system are available.
- GOV-01 - Cybersecurity & Data Protection Governance Program
- PRM-02 - Cybersecurity & Data Privacy Resource Management
Leadership and commitment, part d)
Top management shall demonstrate leadership and commitment with respect to the information security management system by: communicating the importance of effective information security management and of conforming to the information security management system requirements.
Leadership and commitment, part e)
Top management shall demonstrate leadership and commitment with respect to the information security management system by: ensuring that the information security management system achieves its intended outcome(s).
- GOV-01 - Cybersecurity & Data Protection Governance Program
- PRM-01 - Cybersecurity & Data Privacy Portfolio Management
Leadership and commitment, part f)
Top management shall demonstrate leadership and commitment with respect to the information security management system by: directing and supporting persons to contribute to the effectiveness of the information security management system.
- GOV-01 - Cybersecurity & Data Protection Governance Program
- GOV-04 - Assigned Cybersecurity & Data Protection Responsibilities
Leadership and commitment, part g)
Top management shall demonstrate leadership and commitment with respect to the information security management system by: promoting continual improvement.
Leadership and commitment, part h)
Top management shall demonstrate leadership and commitment with respect to the information security management system by: supporting other relevant management roles to demonstrate their leadership as it applies to their area of responsibility.
- GOV-01 - Cybersecurity & Data Protection Governance Program
- GOV-04 - Assigned Cybersecurity & Data Protection Responsibilities
Policy, part a)
Top management shall establish an information security policy that: is appropriate to the purpose of the organization.
Policy, part b)
Top management shall establish an information security policy that: includes information security objectives (see 6.2) or provides the framework for setting information security objectives.
- GOV-02 - Publishing Cybersecurity & Data Protection Documentation
- GOV-09 - Define Control Objectives
Policy, part c)
Top management shall establish an information security policy that: includes a commitment to satisfy applicable requirements related to information security.
Policy, part d)
Top management shall establish an information security policy that: includes a commitment to continual improvement of the information security management system.
Policy, part e)
The information security policy shall: be available as documented information.
Policy, part f)
The information security policy shall: be communicated within the organization.
Policy, part g)
The information security policy shall: be available to interested parties, as appropriate.
Organizatonal roles, responsibilities, and authorities, part a)
Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated. Top management shall assign the responsibility and authority for: ensuring that the information security management system conforms to the requirements of this document. Note: Top management can also assign responsibilities and authorities for reporting performance of the information security management system within the organization.
- GOV-01.1 - Steering Committee & Program Oversight
- GOV-04 - Assigned Cybersecurity & Data Protection Responsibilities
Organizatonal roles, responsibilities, and authorities, part b)
Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated. Top management shall assign the responsibility and authority for: reporting on the performance of the information security management system to top management. Note: Top management can also assign responsibilities and authorities for reporting performance of the information security management system within the organization.