In smaller companies, it is best practice for the CEO to approve all ISMS documents because the CEO is typically the top management responsible for the overall direction and decision-making within the company. However, in mid-size and larger companies, the responsibility for approving documents can be divided between senior management, security officers, and heads of departments to avoid creating a bottleneck.