Back to M.1.1.2 - P1 - LEADERSHIP AND MANAGEMENT COMMITMENT
Top management commitment and its visible demonstration is one important contributor to the overall success of information security within an entity. This does not mean that top management is carrying out the actions listed above themselves, but they need to ensure that the actions do take place, and that they are concluded successfully.
One important part in these responsibilities is the assignment of appropriate resources, without which information security cannot succeed (see also M1.4.1 below). Another important aspect is the connection between business goals and requirements and information security. Ideally, this is a balance between these items, and it should never be the case that information security hinders the business. It should, of course, also not be the case that an entity takes any unjustified risks and neglects security. The final decision what takes preference has to be taken by top management.
Management should identify the needs for internal or external specialist information security advice, and review and coordinate results of the advice throughout the entity.
