Who is responsible for establishing the information security policy according to ISO/IEC 27001?

The responsibility for establishing the information security policy according to ISO/IEC 27001 lies with top management. This leadership role is critical because the information security policy must align with the organization's strategic direction and overall objectives. Top management brings an overarching view of the organization's goals and risk appetite, allowing them to make informed decisions about the priorities and commitments necessary for effective information security management.

Furthermore, the involvement of top management is essential to ensure that the information security policy receives adequate support and resources throughout the organization. Their commitment can influence the culture of information security, promote compliance, and foster an environment where security is prioritized at all levels.

While other roles, such as the information security manager and IT department, play vital roles in implementing and managing the information security program, the ultimate responsibility for establishing the policy and ensuring its integration into the organization's governance framework rests with top management. This is a key aspect of leadership and management in ISO/IEC 27001, highlighting the importance of ensuring that information security is not viewed as an isolated function but as an integral part of business operations.