Who is responsible for establishing the information security policy according to ISO/IEC 27001?

The responsibility for establishing the information security policy according to ISO/IEC 27001 lies with top management. This is fundamental because top management is expected to provide direction and support for information security policies, ensuring they are aligned with the organization’s objectives and integrated into the organization’s overall management processes.

Top management's involvement is crucial for demonstrating commitment to information security, which is a necessity for the effectiveness of the Information Security Management System (ISMS). Their leadership ensures that the policy reflects the strategic position of the organization and adequately addresses risk management, compliance with legal and regulatory requirements, and stakeholder needs.

High-level management is also responsible for approving the information security policy and ensuring that sufficient resources are allocated for implementing and maintaining it. This involvement fosters a culture of security within the organization and helps in establishing accountability for various functions and activities related to information security.

In contrast, other roles and departments play supportive roles or are involved in the implementation of certain aspects of the policy, but the ultimate responsibility for creating and establishing the policy resides with top management. This design reflects a broader understanding that successful information security governance requires oversight and commitment from the highest levels of an organization.