Information security is both a management and a governance issue. Successful implementation of an ISMS depends absolutely on the project having real support from the top of the organization. With it, you have a real chance of success; without it, none at all. Securing real top management support – not mere lip service – is the second key to ISO 27001 success. In this context, I’m not necessarily talking about the CEO of a large, multi-subsidiary organization; I’m talking about the person who is accountable for the business success or failure of the trading entity (see chapter three, which deals with scope) that is considering ISO 27001. This could be a trading division, a subsidiary company, a standalone unit or a ...