User
is it best practice to have the CEO approving the control of documents? my worry is the CEO to become a bottle nick for the organization since he have to review any changes to the documents. please clairify.
Experta
It is not necessary for the CEO to approve all documents. In smaller companies, it might be best practice for the CEO to approve all ISMS documents, but in mid-size and larger companies, the responsibility can be divided among senior management, security officers, and department heads. This approach helps prevent the CEO from becoming a bottleneck in the document approval process.