In smaller companies, it is best practice for the CEO to approve all ISMS documents because the CEO is typically the top management responsible for the overall direction and decision-making within the company. This ensures that the ISMS documents align with the company's strategic objectives and that there is a clear commitment from the highest level of management to support and enforce information security policies and practices. However, in mid-size and larger companies, the responsibility for approving documents can be divided between the senior management, security officers, and heads of departments to avoid bottlenecks.