ISO 27001 Clause 5: Leadership and Top Management Commitment
Clause 5 of ISO 27001:2022 puts obligations directly on "top management" — the people who direct and control the organization, not the compliance owner. 5.1 requires demonstrated leadership and commitment: security policy and objectives aligned with strategy, ISMS requirements integrated into business processes, resources actually provided, and results monitored. 5.2 requires an information security policy established by top management, documented, communicated internally, and available to interested parties. 5.3 requires roles, responsibilities, and authorities to be assigned and communicated — including who reports ISMS performance back to top management. The distinctive thing about Clause 5 is how it's audited: the certification auditor interviews your executives, and "I delegated that to our compliance person" is itself a finding when the CEO can't say what the policy commits to or when leadership last reviewed ISMS performance. The evidence is light — a signed policy, an org chart or responsibility matrix, management review minutes with leadership present — but the interview can't be faked, which is exactly the point.
Most of ISO 27001 can be built by whoever owns compliance. Clause 5 can't. It's the one part of the standard aimed squarely at "top management" — the person or group who directs and controls the organization — and it's audited in the one way that can't be delegated: your auditor talks to your executives and listens to what they actually know. This is the second post in our clauses 4–10 series; the hub has the full map, and Clause 4 (context) comes right before this one.
Who counts as "top management"?
The standard defines top management as the person or group of people who direct and control the organization at the highest level — relative to the scope of the ISMS. In a 30-person startup that's the founders or the executive team, full stop. If your ISMS scope covers a business unit rather than the whole company, top management can be that unit's leadership. What it can never be: the compliance manager, the DPO, or "whoever runs our compliance platform." Those people operate the ISMS; Clause 5 is about the people who fund it and answer for it.
5.1 — Leadership and commitment
What it requires: top management shall demonstrate leadership and commitment with respect to the ISMS. The standard then lists what demonstrating means, and the list is worth reading closely because auditors use it as an interview script:
- ensuring the information security policy and objectives are established and compatible with the strategic direction of the organization;
- ensuring ISMS requirements are integrated into business processes — security in how you sell, build, and hire, not a parallel universe of documents;
- ensuring the resources needed for the ISMS are available — budget, tooling, people's time;
- communicating the importance of effective information security management and of conforming to ISMS requirements;
- ensuring the ISMS achieves its intended outcomes;
- directing and supporting people to contribute, promoting continual improvement, and supporting other managers in their areas.
Notice the verb pattern: ensuring, not doing. Top management doesn't run the risk assessment — it makes sure the risk assessment happens, is resourced, and its results are acted on. That distinction is what the auditor probes for.
Evidence in practice: management review minutes with executives genuinely present (Clause 9.3 is where 5.1 becomes visible on paper), budget or headcount decisions traceable to ISMS needs, security objectives that reference business goals, and — above all — an executive interview that goes well. More on that below.
5.2 — The information security policy
What it requires: top management shall establish an information security policy that is appropriate to the organization's purpose, includes security objectives or the framework for setting them, commits to satisfying applicable requirements, and commits to continual improvement. It must be documented, communicated within the organization, and available to interested parties as appropriate.
This is the top-level policy — one or two pages of direction-setting, not the full policy stack. The most useful test: could your executives summarize it from memory? If the policy is fifteen pages of boilerplate, the honest answer is no, and that shows in the interview. A short policy your CEO actually believes beats a long one nobody has read. (For the full document set below it, see our internal policy management guide.)
Evidence in practice: the approved policy with top management's sign-off and a version history; proof of communication (onboarding materials, the all-hands where it was introduced, the internal wiki page); and, where relevant, evidence it's available to interested parties — many companies simply publish it or share it under NDA in security reviews.
5.3 — Roles, responsibilities and authorities
What it requires: top management shall ensure that responsibilities and authorities for roles relevant to information security are assigned and communicated. Two responsibilities are called out specifically: ensuring the ISMS conforms to the standard, and reporting on ISMS performance to top management.
That second one is the quietly important bit: someone must own the feedback loop to leadership. In a startup this is typically the CTO or a security lead wearing the "ISMS owner" hat — fine, as long as it's written down and the person actually reports upward at defined moments (management review at minimum).
Evidence in practice: a responsibility matrix or short role descriptions (ISMS owner, risk owner(s), asset owners, internal audit responsibility), reflected in reality — the person named actually does the thing. After a departure, this is where ISMSs quietly rot: the named ISMS owner left four months ago and nobody was reassigned. Auditors check names against your current org chart.
How the Clause 5 interview actually goes
Certification audits almost always include a session with top management, and the questions are predictable because they mirror 5.1's list:
- What are your information security objectives, and how do they relate to your business goals?
- What does your security policy commit you to? (Summary, not recitation.)
- How do you know the ISMS is working? When did you last review its performance?
- What security investments have you made this year, and why those?
- Who reports to you on the ISMS, and how often?
Executives don't need technical depth — they need to show ownership of direction, resourcing, and follow-through. Fifteen minutes of preparation against exactly these questions is some of the highest-leverage audit prep that exists. The failure mode isn't ignorance of TLS versions; it's "you'd have to ask our compliance person" delivered three times in a row — which converts directly into a finding against 5.1.
Common Clause 5 nonconformities
- The absent executive. Management review meetings that top management never actually attends — minutes show only the compliance owner talking to themselves.
- The unsigned or fossilized policy. No approval trail, or a policy last touched years ago while the company doubled and pivoted. (The standard doesn't set a review interval, but "appropriate to the purpose of the organization" stops being true on its own.)
- Orphaned roles. The responsibility matrix names people who've left; no reassignment, no communication.
- Resources on paper only. Objectives and risk treatments exist, but every one stalls for lack of budget or time — auditors read stalled corrective actions as a 5.1 resourcing problem, not just a Clause 10 one.
Ready to Streamline Your Compliance?
Discover how AuditBadger can simplify your compliance management process.
The bottom line
Clause 5 asks less work of your executives than any other clause asks of your team — a short policy, clear role assignments, showing up to management review, and one honest interview. What it can't survive is indifference, because the auditor tests the humans, not the documents. Brief your leadership on the five questions above, keep the policy short enough to believe in, and name a real ISMS owner who reports upward. Next in the series: Clause 6, Planning — risk assessment, risk treatment, and the Statement of Applicability, where your ISMS makes its actual decisions.
Frequently asked questions
Who counts as "top management" in ISO 27001? +
Top management is the person or group of people who direct and control the organization at the highest level — relative to the scope of the ISMS. In a startup that means the founders or executive team; if the ISMS scope covers only a business unit, it can be that unit's leadership. It can never be the compliance manager, DPO, or whoever operates your compliance platform — those people run the ISMS, while Clause 5 places obligations on the people who fund it and answer for it: demonstrating leadership and commitment (5.1), establishing the information security policy (5.2), and assigning roles and authorities (5.3). Certification auditors verify this by interviewing your executives directly.
What questions do auditors ask top management in an ISO 27001 audit? +
The executive interview follows Clause 5.1's list of commitments, so the questions are predictable: What are your information security objectives and how do they relate to business goals? What does your security policy commit you to (a summary, not a recitation)? How do you know the ISMS is working, and when did you last review its performance? What security investments have you made this year and why? Who reports to you on the ISMS and how often? Executives don't need technical depth — they need to show ownership of direction, resourcing, and follow-through. Answering "you'd have to ask our compliance person" repeatedly converts directly into a finding against Clause 5.1, no matter how good the documentation is.
What evidence demonstrates ISO 27001 Clause 5 leadership? +
The paper trail is light but specific: an information security policy approved by top management with a visible sign-off and version history, plus proof it was communicated (onboarding materials, policy acknowledgments) and is available to interested parties where appropriate; a responsibility matrix or role descriptions assigning ISMS responsibilities — including who reports ISMS performance to top management, which Clause 5.3 calls out explicitly; management review minutes showing executives genuinely present and deciding; and resourcing decisions (budget, headcount, tooling) traceable to ISMS needs. The evidence that can't be faked is the interview: auditors test whether leadership actually owns the system, so the strongest preparation is briefing executives on the policy and the ISMS's current performance.