In smaller companies, it is a common best practice for the CEO to approve all ISMS documents. However, in larger companies, the responsibility for approving documents can be divided between senior management, security officers, and heads of departments. The goal is to distribute the workload and ensure efficiency in the approval process. It is important to consider the size and structure of your organization when determining who should approve documents. The CEO should not become a bottleneck, and it may be necessary to delegate the approval authority to other individuals to ensure timely review and approval of documents.