What should auditors do to assess top management's commitment to the information security management system?

To assess top management's commitment to the information security management system, interviewing the auditee's top management is the most effective approach. This direct interaction allows auditors to evaluate not only the knowledge and understanding of management regarding the information security policies and procedures but also their engagement and attitude towards the system. Through interviews, auditors can gauge the level of support, resource allocation, and the importance that management places on information security, which are crucial indicators of commitment.

While reviewing company brochures may provide some insight into the organization’s stated values and priorities, it does not reflect the actual commitment that can only be measured through direct conversations. Similarly, surveying all employees, although informative about general awareness and attitudes towards information security, does not specifically assess the engagement of top management. Examining external audits may shine light on the company's compliance and practices, but it does not directly showcase how top management advocates for or executes the information security initiatives. Thus, interviewing management remains the most reliable method to ascertain their commitment level.