Management Commitment

Involvement from top management is critical to the effectiveness of your information security program. Top Management can vary depending on the size of the company. In smaller organisations, it can be the Director or Managing Partner, in larger organisations, the CEO, COO or CIO can be your partner.

The objective is to ensure and validate the commitment of the management, because the organization's management is responsible for its information security and policy.

Top management’s involvement with the information security program will help you:

  • Sponsor and promote Information Security in the company
  • Understand the company's Risk Appetite
  • Alignment with business and its objectives
  • Resources and Budget

Senior Management could also:

  • Provide direction and methodology in Risk Management
  • Define the requirements and associated KPI's
  • Review your Information Security regularly
  • Set Information Security targets for all employees as part of their annual evaluation
  • Endorse and communicate your cybersecurity policies


Have a cyber security policy document written by or endorsed by the management, which commits the organization to adhere to the cybersecurity protection principles and the commitment for  regularly update.


Have regular management meetings that put the cyber security strategy on the agenda.