When an information security programme fails — when a breach goes undetected for months, when an incident notification deadline is missed, when a certification audit exposes gaps that should have been closed years ago — the root cause is almost never a technical one. The firewall was probably adequate. The policy probably existed. The problem was that nobody with real authority ever made security a genuine priority.
ISO 27001 Clause 5 addresses this directly. Leadership is not a supporting condition for a working security programme — it is the prerequisite. And under ZInfV-1, it is also a legal obligation with personal consequences.
1. A governance obligation, not an IT delegation
ZInfV-1 Article 23 — implementing NIS2 Article 20 — places explicit, non-delegable obligations on management bodies of essential and important entities. Boards and senior executives must personally approve cybersecurity risk management measures, oversee their implementation, and bear responsibility for infringements. Management body members may be required to undergo security training.
This is a meaningful shift. Under the previous regulatory regime, governance failures were primarily organisational liabilities. Under ZInfV-1 they are personal ones. A board that signs off on a security report without genuinely engaging with its contents is not just overseeing a gap — it is exposed.
ACCOUNTABILITY TEST
When a regulator examines your organisation, they will not only ask whether controls exist. They will ask who approved them, who is monitoring them, and what evidence exists of active board-level oversight. 'We delegated it to IT' is not a defensible answer under ZInfV-1.
2. What ISO 27001 requires from leadership — specifically
ISO 27001 Clause 5.1 uses the word 'demonstrate' deliberately. Leadership must show evidence of active engagement across seven areas:
| Leadership must demonstrate |
| Security policy and objectives aligned with strategic direction |
| ISMS requirements are integrated into organisational processes |
| Resources for the ISMS are available |
| Importance of security is actively communicated |
| ISMS achieves its intended outcomes |
| Continual improvement is promoted |
None of this requires a dedicated board sub-committee or a large security team. It requires that security has a named, resourced owner with access to leadership — and that leadership takes the reporting seriously enough to act on it.
3. The security policy: governance instrument or compliance liability?
The information security policy is the most visible signal of whether leadership commitment is real. Most organisations have one. Fewer have one that does anything useful.
A policy that was drafted by IT, signed once, and has never been reviewed against ZInfV-1 obligations or the current threat landscape is not a governance instrument. It is a liability document — one that creates the impression of compliance while providing no operational substance and no regulatory protection.
A functioning policy is approved by the most senior appropriate leader (not IT, not legal — leadership), references the specific regulatory framework including ZInfV-1, commits to proportionate and improving security measures, and is reviewed at minimum annually. It is the document a regulator would ask to see first — and the one most organisations are least prepared to produce.
QUICK DIAGNOSTIC
Pull out your current security policy. Ask three questions: Does it name ZInfV-1 or NIS2 specifically? Was it approved by a board member or C-level executive? Has it been reviewed in the last 12 months? If the answer to any of these is no, you have a governance gap that a regulator will find before you do.
4. The accountability gap most organisations don't see
The most common failure in security governance is not a lack of security staff. It is the assumption that hiring a CISO or security manager resolves the accountability question. It does not.
A security manager without board-level access, budget authority, or the ability to escalate concerns into strategic decisions cannot fulfil what ISO 27001 and ZInfV-1 require of leadership. The accountability sits above them. When the security manager escalates a critical risk and nothing happens, that is a leadership failure — and under ZInfV-1, it is a documented one.
5. A leadership gap is ZInfV-1 exposure
Organisations that struggle with ZInfV-1 compliance are rarely those without the technical capability to implement security. They are those where leadership has not yet understood — or accepted — that security is their responsibility, not their security team's.
The regulator will look for evidence of genuine oversight: documented board approvals, a security policy with current management sign-off, quarterly review records, and a ISMS owner with real authority. If these do not exist, the technical controls underneath them — however well designed — will not create a defensible compliance position.
Building genuine leadership engagement into a security programme is not straightforward, particularly in organisations where security has historically been an IT matter. It requires a structured approach, clear communication of personal obligations, and experienced external support that can translate regulatory requirements into board-ready language.
IS YOUR BOARD GENUINELY ENGAGED — OR JUST SIGNED OFF?
IS YOUR BOARD GENUINELY ENGAGED — OR JUST SIGNED OFF? There is a material difference between a board that has approved a security policy and a board that understands and oversees the security programme it governs. Our free Information Security Maturity Assessment covers governance and leadership as one of its five domains, giving you an immediate, honest read on where your organisation stands. Ten minutes. No obligation. And if the results raise questions you want to work through with us — we offer a free 30-minute consultation.
Series continues — next week: Planning (ISO 27001, Clause 6)