User
is it best practice to have the CEO approving the control of documents? my worry is the CEO to become a bottle nick for the organization since he have to review any changes to the documents. please clairify.
Experta
In smaller companies, it is best practice for the CEO to approve all ISMS documents because the CEO is typically the top management responsible for the overall direction and decision-making within the company. This ensures that the ISMS documents align with the company's strategic objectives and that there is a clear commitment from the highest level of management to support and enforce information security policies and practices. However, in mid-size and larger companies, the responsibility for approving documents can be divided between the senior management, security officers, and heads of departments to avoid bottlenecks.