October 4, 2021

Last Updated on January 14, 2024

ISO 27001 certification is a big change for most businesses; one that impacts not just IT but many departments from legal to HR to the C-suite. Because what you’re actually certifying under ISO 27001 is your information security management system (ISMS) and not your controls, governance—and therefore senior management—is meant to play a pivotal role in achieving and maintaining an ISO 27001 certificate.

But, as we frequently see in our ISO 27001-as-a-Service practice, many organizations mistakenly believe that ISO 27001 is all about cybersecurity controls… and so the ISO 27001 preparation effort is left in the hands of IT and/or information security staff.

To help dispel this and other problematic misconceptions that companies have around ISO 27001 certification, Pivot Point Security CISO and Managing Partner, John Verry, recorded a special podcast in response to longstanding requests from customers.

The role of “top management” in your ISO 27001 ISMS
The ISO 27001 standard emphasizes that senior management involvement and direction is critical to the effectiveness of any ISMS.

John explains: “Senior management tends to think, ‘Hey, [ISO 27001] is IT/InfoSec and we really don’t need to be involved.’ But ISO 27001 makes it very, very clear that an ISMS, the information security management system that you’re certifying, needs to be governed. And it needs to be governed by ‘top management.’”

“The IT guy” isn’t top management
“ISO doesn’t define top management, but clearly the IT guy is not top management,” John asserts. “And that’s usually the person that’s leading this particular project. So typically, we’ve got someone that’s higher up the food chain, minimally whoever has overall responsibility for information security. Usually that’s someone sitting in the CFO or COO seat.”

Cybersecurity is a business issue
Another big reason why the C-suite needs to be steering the ISO 27001 ISMS is that cybersecurity is a board-level business issue, now more than ever.

As John puts it, “Information security risk is no longer just InfoSec risk, it’s a business risk. And you need to be assured, as management, that that risk is understood, that that risk is being effectively managed on an ongoing basis and that you’re validating that.”

“And that’s what ISO 27001 says,” John emphasizes. “If [your business is] seeking ISO 27001 certification and you are ‘top management,’ you will be playing a role in ISO 27001.”

What’s Next?

Whatever your role in your organization’s ISO 27001 certification process, you’ll appreciate the high-value guidance in this special podcast with ISO 27001 expert John Verry:
EP#62 – John Verry – What People Get Wrong About ISO 27001 Compliance – Pivot Point Security

Looking for some more meaningful information around how to manager your ISO 27001 Certification? Check out this blog post: Don’t Assume Your IT Staff Will “Handle” ISO 27001 Certification – Pivot Point Security