SW-IMS-MAN-005
IMS Manual - Leadership (Clause 5)
Version
1.0
Owner
CEO
Effective Date
TBD
Review Date
TBD
IMS Manual - Leadership (Clause 5)
Document Information
Document ID: SW-IMS-MAN-005
Version: 1.0
Status: Draft
Effective Date: [TBD]
Review Date: [TBD]
Owner: CEO
Approved by: [TBD]
1. Introduction
This section of the IMS Manual describes how Swedwise AB demonstrates leadership and commitment to the Integrated Management System. It defines top management's responsibilities, the IMS policy framework, and the organizational structure for managing quality, environmental, and information security.
Alignment with ISO Standards:
- ISO 9001:2015, Clause 5: Leadership
- ISO 14001:2015, Clause 5: Leadership
- ISO 27001:2022, Clause 5: Leadership
2. Leadership and Commitment (Clause 5.1)
2.1 Top Management Definition
At Swedwise, top management comprises:
- CEO: Ultimate accountability for the IMS
- Management Team: Strategic direction and functional leadership
Top management collectively ensures the IMS is effective, integrated with business operations, and achieves intended outcomes.
2.2 General Leadership and Commitment
Top management demonstrates leadership and commitment to the IMS by:
2.2.1 Accountability
CEO Accountability:
- Takes ultimate responsibility for IMS effectiveness
- Ensures IMS achieves intended outcomes:
- Quality: Customer satisfaction, service excellence
- Environmental: Environmental performance, pollution prevention
- Information Security: Confidentiality, integrity, availability of information
Management Team Accountability:
- Each member accountable for IMS implementation within their area of responsibility
- Supports CEO in driving IMS effectiveness across the organization
2.2.2 Policy and Objectives
Top management:
- Establishes and maintains IMS policies (Section 3 of this document)
- Ensures policies are appropriate to organizational context and strategic direction
- Establishes quality, environmental, and information security objectives
- Ensures objectives are aligned with strategic direction and cascaded through the organization
- Reviews objectives regularly for continued suitability
Policy References:
- SW-IMS-POL-001: Integrated Management System Policy
- SW-QMS-POL-001: Quality Policy
- SW-EMS-POL-001: Environmental Policy
- SW-ISMS-POL-001: Information Security Policy
2.2.3 Integration with Business Processes
Top management ensures:
- IMS requirements are integrated into business processes (not separate compliance system)
- Quality, environmental, and security considerations are embedded in decision-making
- IMS supports business strategy and objectives
- Process approach is applied across the organization
- IMS enables market access (public procurement, customer requirements)
Examples of Integration:
- Sales proposals include quality, security, and environmental commitments
- Project delivery follows IMS procedures (change control, risk management, documentation)
- SaaS platform design incorporates security controls and availability requirements
- Resource planning considers competence requirements from IMS
- Procurement decisions include supplier security and environmental assessment
2.2.4 Resource Provision
Top management ensures adequate resources are available for:
Human Resources:
- Dedicated IMS roles: IMS Owner, Quality Lead, Environmental Lead, CISO
- Process owners for critical processes
- Internal auditor training and time allocation
- Staff time for IMS activities (training, audits, improvement initiatives)
Financial Resources:
- Budget for IMS implementation and maintenance
- Investment in tools and systems (monitoring, documentation, security controls)
- External support (consultants, certification audits, training)
Infrastructure Resources:
- IT infrastructure for IMS (document management, monitoring tools)
- Secure infrastructure for SaaS platform (data center, cloud services)
- Office facilities supporting environmental and work environment objectives
Knowledge Resources:
- Access to standards and regulatory updates
- Training and competence development
- External expertise when needed
2.2.5 Communication
Top management communicates:
- The importance of effective quality, environmental, and security management
- The importance of conforming to IMS requirements
- IMS performance and improvements
- Customer focus and stakeholder value
- Personal commitment through visible participation
Communication Channels:
- Management reviews (quarterly)
- All-hands meetings and town halls
- Management Team meetings
- Email updates and newsletters
- Intranet and document repository
- One-on-one meetings with staff
- Customer communications (when appropriate)
2.2.6 Intended Outcomes Achievement
Top management ensures the IMS achieves intended outcomes:
Quality Outcomes (ISO 9001):
- Consistently provide products and services that meet customer and legal requirements
- Enhance customer satisfaction
- Address risks and opportunities affecting conformity and customer satisfaction
Environmental Outcomes (ISO 14001):
- Enhance environmental performance
- Fulfill compliance obligations
- Achieve environmental objectives
Information Security Outcomes (ISO 27001):
- Protect confidentiality, integrity, and availability of information
- Meet information security requirements of interested parties
- Achieve information security objectives and manage risks
2.2.7 Improvement Culture
Top management:
- Promotes continual improvement of the IMS and its processes
- Encourages innovation and learning
- Supports staff in identifying and implementing improvements
- Recognizes and celebrates improvement successes
- Learns from nonconformities and incidents without blame
- Aligns with "The Machine" learning organization philosophy
2.2.8 Support for Management Roles
Top management:
- Supports other management roles in their IMS responsibilities
- Demonstrates leadership in their own areas
- Ensures managers have authority and resources to fulfill IMS responsibilities
- Holds managers accountable for IMS performance in their areas
2.3 Customer Focus
Top management ensures customer focus is maintained throughout the organization:
2.3.1 Customer and Legal Requirements
Top management ensures:
- Customer requirements are determined, understood, and consistently met
- Legal and regulatory requirements applicable to products and services are determined and met
- Contractual obligations (SLAs, security requirements, data residency) are fulfilled
- Risks and opportunities that can affect product/service conformity are identified and addressed
Customer Requirement Channels:
- Sales process: Requirements gathering, proposal development
- Contracts and SLAs: Formal commitments
- Customer communications: QBRs, feedback sessions, support interactions
- Procurement specifications: Public sector tender requirements
2.3.2 Customer Satisfaction
Top management ensures:
- Customer satisfaction is a primary focus
- Customer needs and expectations are understood
- Actions are taken to enhance customer satisfaction
- Customer satisfaction is measured and monitored
- Customer feedback is analyzed and acted upon
Customer Satisfaction Measures:
- Annual customer satisfaction surveys
- Net Promoter Score (NPS)
- Quarterly Business Reviews (QBRs) feedback
- Support ticket satisfaction ratings
- Customer retention and churn rates
- Customer references and testimonials
Target: Maintain customer satisfaction ≥ [TBD, e.g., 4.0/5.0] and NPS ≥ [TBD, e.g., 50]
3. Policy (Clause 5.2)
3.1 IMS Policy Framework
Swedwise has established a hierarchy of policies that provide the framework for setting objectives and guide IMS implementation:
3.1.1 Integrated Management System Policy
Document: SW-IMS-POL-001 - Integrated Management System Policy
Purpose: Overarching policy integrating quality, environmental, and information security commitments
Key Commitments:
- Customer focus and stakeholder value
- Quality excellence
- Environmental responsibility
- Information security
- Compliance with legal and regulatory requirements
- Continual improvement
- Competence and awareness
3.1.2 Quality Policy
Document: SW-QMS-POL-001 - Quality Policy
Purpose: Specific commitments to quality management
Key Commitments:
- Customer satisfaction and service excellence
- Continuous improvement culture
- Competence and training
- Process approach and data-driven decision making
- Risk-based thinking
- Evidence-based management
Quality Objectives (Summary):
- Customer satisfaction ≥ [TBD, e.g., 4.0/5.0]
- SaaS platform availability ≥ 99.9%
- Incident response within defined SLAs
- Project delivery on-time, on-budget, meeting scope
- Staff competence (100% required training, [TBD]% technical certifications)
- Continuous improvement (minimum [TBD] improvements annually)
3.1.3 Environmental Policy
Document: SW-EMS-POL-001 - Environmental Policy
Purpose: Commitments to environmental protection and sustainability
Key Commitments:
- Pollution prevention
- Compliance with environmental legal and regulatory requirements
- Environmental performance improvement
- Sustainable use of resources
- Consideration of life-cycle perspective
Environmental Objectives (Summary):
- Reduce carbon footprint from business travel by [TBD, e.g., 10%] year-over-year
- Maintain [TBD, e.g., 90%+] electronic waste recycling rate
- Reduce energy consumption per employee by [TBD, e.g., 5%] year-over-year
- Prefer suppliers with environmental management systems
- Promote remote meetings to reduce travel
3.1.4 Information Security Policy
Document: SW-ISMS-POL-001 - Information Security Policy
Purpose: Commitments to protecting information assets
Key Commitments:
- Protect confidentiality, integrity, and availability of information
- Compliance with information security legal, regulatory, and contractual requirements
- Risk-based approach to information security
- Security awareness and competence
- Incident management and continual improvement
Information Security Objectives (Summary):
- Zero material security breaches annually
- 100% staff completion of annual security awareness training
- High-risk vulnerabilities remediated within [TBD, e.g., 30 days]
- GDPR compliance (100% conformance with data protection requirements)
- ISO 27001 certification achieved and maintained
3.2 Policy Characteristics
All IMS policies are:
Appropriate to Context:
- Aligned with Swedwise's purpose, size (~35 employees), and business model
- Reflect organizational context (Section 2 of SW-IMS-MAN-004)
- Address interested party requirements (Section 3 of SW-IMS-MAN-004)
- Support strategic direction and "Make Time For The Good" brand promise
Framework for Objectives:
- Provide basis for setting and reviewing objectives
- High-level objectives stated in policies
- Detailed objectives and targets defined in annual planning
Include Commitments:
- Meet applicable requirements (customer, legal, regulatory, contractual)
- Continual improvement of IMS and its processes
- Specific commitments for quality, environmental, and information security
Documented:
- Formally documented in controlled policy documents
- Maintained as documented information in IMS Repository
Communicated:
- Available to all employees via IMS Repository (intranet)
- Communicated during onboarding
- Reinforced through training and awareness programs
- Available to interested parties (customers, auditors) upon request
Reviewed and Updated:
- Reviewed annually by CEO and relevant IMS leads
- Updated when context, requirements, or strategy changes
- Approved by CEO before release
- Changes communicated to all staff
3.3 Supporting Policies
In addition to the top-level IMS policies, Swedwise maintains functional policies supporting IMS implementation:
Information Security Functional Policies:
- SW-ISMS-POL-002: Acceptable Use Policy
- SW-ISMS-POL-003: Data Protection and Privacy Policy
- SW-ISMS-POL-004: Access Control Policy
- SW-ISMS-POL-005: Business Continuity Policy
- SW-ISMS-POL-006: HR Security Policy
- SW-ISMS-POL-007: Information Classification Policy
- SW-ISMS-POL-008: Physical Security Policy
- SW-ISMS-POL-009: Network Security Policy
- SW-ISMS-POL-010: Cryptographic Controls Policy
- SW-ISMS-POL-011: Logging and Monitoring Policy
- SW-ISMS-POL-012: Remote Working Policy
Quality and Environmental Policies:
- SW-QMS-POL-002: Customer Communication Policy
- SW-EMS-POL-002: [TBD if additional environmental policies needed]
All policies are cross-referenced and aligned to ensure consistency across the IMS.
4. Organizational Roles, Responsibilities, and Authorities (Clause 5.3)
4.1 Organizational Structure
Swedwise operates with a relatively flat organizational structure emphasizing autonomy, collaboration, and learning (aligned with "The Machine" framework).
4.1.1 Organizational Chart
┌─────────────────────────────────────────┐
│ CEO │
│ (IMS Accountability) │
└────────────┬────────────────────────────┘
│
┌────────────┴──────────────────────────────────────────┐
│ Management Team │
│ (Strategic Leadership and Functional Management) │
└────┬──────┬──────┬──────┬──────┬──────┬──────┬───────┘
│ │ │ │ │ │ │
┌─┴─┐ ┌┴──┐ ┌┴──┐ ┌┴──┐ ┌┴──┐ ┌┴──┐ ┌┴───┐
│Cus│ │Cus│ │Cus│ │Res│ │PMO│ │Sup│ │Disc│
│Acq│ │Dev│ │Suc│ │Mgmt│ │ │ │Fns│ │For│
└───┘ └───┘ └───┘ └───┘ └───┘ └───┘ └────┘
IMS Roles (Overlaid on Organizational Structure):
- CEO: Overall IMS accountability
- IMS Owner: IMS coordination (may be Quality Lead or separate)
- Quality Lead: QMS coordination
- Environmental Lead: EMS coordination
- CISO: ISMS coordination
- Department/Functional Heads: IMS implementation in their areas
Notes:
- Customer Acquisition (CusAcq): Sales and business development
- Customer Development (CusDev): Account management
- Customer Success (CusSuc): Delivery, support, onboarding
- Resource Management (ResMgmt): Staffing, capacity, training
- PMO: Project Management Office (internal projects, governance)
- Support Functions (SupFns): Finance, HR, IT, Administration
- Discipline Forums (DiscFor): Technical expertise groups (cross-functional)
4.2 Key IMS Roles and Responsibilities
4.2.1 Chief Executive Officer (CEO)
Current Assignee: [TBD - Name]
IMS Responsibilities:
Overall Accountability:
- Ultimate accountability for IMS establishment, implementation, maintenance, and effectiveness
- Ensures IMS achieves intended outcomes (quality, environmental, information security)
Leadership:
- Demonstrates visible leadership and commitment to IMS
- Champions quality, environmental, and security culture
- Promotes customer focus throughout organization
Policy and Direction:
- Approves IMS policies and objectives
- Ensures policies are appropriate to organizational context
- Aligns IMS with strategic direction
- Communicates importance of effective IMS
Resources:
- Ensures adequate resources for IMS (personnel, financial, infrastructure)
- Approves IMS budget and major investments
- Assigns IMS roles and responsibilities
Integration:
- Ensures IMS requirements are integrated into business processes
- Promotes process approach throughout organization
- Ensures IMS supports business success
Management Review:
- Chairs management review meetings (quarterly)
- Reviews IMS performance and makes strategic decisions
- Approves actions from management reviews
External Representation:
- Represents Swedwise to certification bodies and external auditors
- Communicates IMS commitments to customers and stakeholders
- Approves IMS communications to external parties
Authority:
- Full authority over all IMS matters
- Final approval for policies, objectives, significant changes
- Accountability to owners/board for IMS effectiveness
4.2.2 Management Team
Members: [TBD - Names and functional areas]
Collective Responsibilities:
- Support CEO in IMS leadership
- Participate in context analysis and strategic planning
- Set objectives aligned with IMS policies
- Participate in management reviews
- Approve significant IMS decisions
- Promote IMS within their areas
- Lead by example in following IMS requirements
Individual Responsibilities (as functional heads):
- Implement IMS within their area of responsibility
- Ensure staff understand and comply with IMS requirements
- Allocate resources for IMS activities
- Monitor performance against objectives in their area
- Report performance in management reviews
- Support internal audits
- Lead corrective actions and improvements
- Ensure competence of staff in their area
4.2.3 IMS Owner
Current Assignee: [TBD - Name]
Reports to: CEO
Time Allocation: [TBD - e.g., 25-40% depending on implementation phase]
Note: This role may be combined with Quality Lead or assigned separately.
Responsibilities:
IMS Coordination:
- Coordinate integrated activities across quality, environmental, and information security
- Maintain overall IMS Manual and documentation framework
- Facilitate collaboration between Quality Lead, Environmental Lead, and CISO
Documentation:
- Manage IMS document control system (with Document Controller if separate)
- Ensure IMS documentation is current, accessible, and controlled
- Coordinate document reviews and updates
Management Review:
- Prepare management review agenda and materials
- Coordinate input from Quality Lead, Environmental Lead, CISO
- Document management review minutes and follow up on actions
Internal Audit Program:
- Coordinate integrated internal audit program
- Schedule audits covering quality, environmental, and information security
- Ensure audit findings are tracked and closed
Performance Monitoring:
- Monitor overall IMS performance (aggregated from QMS, EMS, ISMS)
- Prepare performance dashboards and reports
- Identify cross-cutting trends and improvement opportunities
Continual Improvement:
- Facilitate continual improvement initiatives
- Coordinate corrective action process
- Maintain improvement log and track closure
Awareness and Training:
- Coordinate IMS awareness programs
- Ensure new employees receive IMS orientation
- Support training for IMS roles (auditors, process owners)
External Liaison:
- Liaise with certification body (coordinating with Quality Lead, CISO, Environmental Lead)
- Support external audits (scheduling, logistics, documentation)
Authority:
- Request information and support from any department for IMS purposes
- Escalate IMS issues to CEO or Management Team
- Approve minor IMS document updates (within approved scope)
- Coordinate corrective actions across departments
Detailed Role Description: [TBD - SW-IMS-ROLE-XXX when created]
4.2.4 Quality Lead
Current Assignee: [TBD - Name]
Reports to: CEO or Management Team member
Time Allocation: [TBD - e.g., 20-30%]
Responsibilities:
QMS Coordination:
- Coordinate Quality Management System (QMS) implementation and maintenance
- Ensure QMS conformance with ISO 9001:2015
- Champion quality culture and customer focus
Quality Objectives:
- Develop quality objectives in collaboration with management
- Monitor progress against quality objectives
- Report quality performance
Customer Satisfaction:
- Coordinate customer satisfaction measurement (surveys, NPS)
- Analyze customer feedback and identify improvement opportunities
- Report customer satisfaction trends to management
Quality Audits:
- Plan and coordinate quality-focused internal audits
- Ensure quality audit findings are addressed
- Support external quality audits (ISO 9001 certification)
Quality Improvement:
- Lead quality improvement initiatives
- Facilitate quality problem-solving and root cause analysis
- Promote best practices and lessons learned
Documentation:
- Maintain quality policies, procedures, and work instructions
- Ensure quality documentation is current and accessible
Reporting:
- Report QMS performance in management reviews
- Provide quality metrics and KPIs
- Escalate quality issues and risks
Authority:
- Approve quality procedures and work instructions (within policy)
- Request quality-related information from any department
- Stop processes that pose significant quality risks (pending management decision)
- Escalate to CEO on quality matters
Detailed Role Description: SW-IMS-ROLE-XXX (Quality Lead)
4.2.5 Environmental Lead
Current Assignee: [TBD - Name]
Reports to: CEO or Management Team member
Time Allocation: [TBD - e.g., 10-20% given office-based operations]
Responsibilities:
EMS Coordination:
- Coordinate Environmental Management System (EMS) implementation and maintenance
- Ensure EMS conformance with ISO 14001:2015
- Champion environmental awareness and responsibility
Environmental Aspects and Impacts:
- Identify and evaluate environmental aspects of Swedwise's activities
- Determine significant environmental aspects
- Maintain environmental aspects register
Compliance Obligations:
- Identify environmental legal and regulatory requirements
- Monitor compliance with environmental obligations
- Report compliance status
Environmental Objectives:
- Develop environmental objectives and targets
- Monitor progress toward environmental objectives
- Report environmental performance
Environmental Audits:
- Plan and coordinate environmental audits
- Ensure environmental audit findings are addressed
- Support external environmental audits (ISO 14001 certification)
Environmental Improvement:
- Lead environmental improvement initiatives
- Promote pollution prevention and resource efficiency
- Engage staff in environmental responsibility
Documentation:
- Maintain environmental policies, procedures, and records
- Ensure environmental documentation is current
Reporting:
- Report EMS performance in management reviews
- Provide environmental metrics (carbon footprint, waste, energy)
- Escalate environmental issues and risks
Authority:
- Approve environmental procedures (within policy)
- Request environmental data from any department
- Recommend environmental investments and initiatives
- Escalate to CEO on environmental matters
Detailed Role Description: SW-IMS-ROLE-XXX (Environmental Lead)
4.2.6 Chief Information Security Officer (CISO)
Current Assignee: [TBD - Name]
Reports to: CEO
Time Allocation: [TBD - e.g., 20-30% steady state, 40-50% during implementation]
Responsibilities:
ISMS Leadership:
- Establish and maintain Information Security Management System (ISMS)
- Ensure ISMS conformance with ISO 27001:2022
- Champion information security culture and awareness
Risk Management:
- Coordinate information security risk assessments
- Maintain information security risk register
- Propose risk treatment plans to management
- Monitor effectiveness of security controls
Security Policies and Controls:
- Develop and maintain information security policies
- Oversee implementation of ISO 27001 Annex A controls
- Maintain Statement of Applicability (SoA)
- Ensure controls are appropriate for Swedwise's context
Incident Management:
- Lead information security incident response
- Coordinate incident investigation and remediation
- Report security incidents to management and affected parties
- Analyze incident trends and recommend preventive actions
Compliance:
- Ensure compliance with information security legal and regulatory requirements (GDPR, etc.)
- Monitor compliance with customer security requirements
- Coordinate with Data Protection Officer (DPO) on privacy matters
Security Audits:
- Plan and coordinate information security audits
- Ensure ISMS audit findings are addressed
- Support external security audits (ISO 27001 certification)
Security Awareness:
- Develop and deliver information security awareness training
- Ensure all staff receive security training
- Promote security-conscious culture
Third-Party Security:
- Assess security of suppliers and partners
- Ensure security requirements in supplier contracts
- Monitor third-party compliance with security requirements
Reporting:
- Report ISMS performance in management reviews
- Provide security metrics and KPIs
- Escalate security issues and risks to management
Authority:
- Approve information security policies and procedures
- Classify security incidents and determine response priorities
- Suspend systems or access in case of security threats
- Approve security exceptions with documented risk acceptance
- Escalate security issues directly to CEO
Detailed Role Description: SW-ISMS-ROLE-001 - Chief Information Security Officer (CISO)
4.2.7 Department Heads / Functional Managers
Examples: Customer Acquisition Lead, Customer Success Lead, Resource Management Lead, IT Manager, Finance Manager, etc.
Responsibilities:
IMS Implementation:
- Implement IMS policies and procedures within their area
- Ensure processes in their area conform to IMS requirements
- Assign process ownership for processes in their area
Staff Management:
- Ensure staff understand IMS requirements relevant to their roles
- Ensure staff have necessary competence (training, skills, experience)
- Conduct performance evaluations including IMS compliance
Performance Monitoring:
- Monitor performance of processes in their area
- Track KPIs relevant to their area
- Report performance to management reviews
Improvement:
- Identify improvement opportunities in their area
- Support corrective actions and improvement initiatives
- Implement approved improvements
Audit Support:
- Support internal and external audits in their area
- Ensure audit findings in their area are addressed
- Provide evidence of IMS implementation
Resource Allocation:
- Allocate staff time and resources for IMS activities
- Support IMS roles in their area (if applicable)
Escalation:
- Escalate IMS issues, risks, and nonconformities
- Report performance variances
4.2.8 Internal Auditors
Assignment: Designated employees trained in internal auditing
Responsibilities:
- Conduct internal audits according to audit program
- Remain objective and impartial (audit areas outside their own responsibility)
- Report audit findings accurately and objectively
- Verify effectiveness of corrective actions
- Identify improvement opportunities
- Maintain audit competence
Authority:
- Access to all areas, processes, and records within audit scope
- Request information and interviews from staff
- Report findings directly to IMS Owner and management
- Remain independent and objective
Detailed Role Description: SW-IMS-ROLE-XXX (Internal Auditor)
4.2.9 Data Protection Officer (DPO)
Current Assignee: [TBD - Name]
Reports to: CEO (with functional independence)
Time Allocation: [TBD - e.g., 10-20%]
Note: This role may be combined with CISO or assigned separately. DPO has specific legal responsibilities under GDPR.
Responsibilities:
- Ensure GDPR compliance
- Advise on data protection impact assessments (DPIAs)
- Cooperate with supervisory authority (IMY - Swedish Authority for Privacy Protection)
- Act as contact point for data subjects and authority
- Monitor GDPR compliance and training
Authority:
- Independence in carrying out DPO tasks
- Direct reporting to highest management level
- Not to be dismissed or penalized for performing DPO duties
Detailed Role Description: SW-IMS-ROLE-XXX (Data Protection Officer)
4.2.10 All Employees
Responsibilities:
- Understand and comply with IMS policies and procedures relevant to their roles
- Complete required IMS training and awareness programs
- Report issues, incidents, nonconformities, and improvement opportunities
- Participate in IMS activities (audits, improvement initiatives, training)
- Follow documented processes and work instructions
- Contribute to achieving IMS objectives
- Represent Swedwise professionally to customers and external parties
Authority:
- Implement improvements within their scope of work (with approval as needed)
- Report concerns without fear of retaliation
- Request clarification on IMS requirements
Detailed Description: SW-IMS-ROLE-XXX (Employee Responsibilities)
4.3 Authority Matrix
Key authorities within the IMS:
| Decision / Action | CEO | Management Team | IMS Owner | Quality Lead | Environmental Lead | CISO | Department Head |
|---|---|---|---|---|---|---|---|
| Approve IMS Policies | A | C | S | S | S | S | - |
| Approve IMS Objectives | A | C | S | S | S | S | I |
| Approve Management Review | A | C | R | S | S | S | I |
| Approve Major IMS Changes | A | C | S | S | S | S | - |
| Approve Risk Treatment Plans | A | C | S | S | S | R | C |
| Approve Corrective Actions | I | I | R | C | C | C | A (for their area) |
| Approve Internal Audit Program | C | I | A | C | C | C | I |
| Approve Procedures | - | - | C | A (quality) | A (env) | A (security) | C |
| Classify Security Incidents | I | I | I | - | - | A | C |
| Approve Security Exceptions | C (major) | - | I | - | - | A | C |
| Stop Process for Quality Risk | C | - | I | A | - | - | C |
| Allocate Resources | A (major) | C | R | R | R | R | A (within budget) |
Key:
- A = Approves (final decision authority)
- R = Responsible (executes, coordinates)
- C = Consulted (input sought)
- S = Supports (assists)
- I = Informed (notified)
4.4 Delegation and Backup
Delegation Principles:
- CEO may delegate specific IMS authorities to Management Team or IMS roles
- Delegations must be documented and communicated
- Ultimate accountability remains with CEO
Backup Arrangements:
- Each key IMS role should have a designated backup/deputy
- Backup trained and briefed on role responsibilities
- Backup acts during absences (vacation, illness)
- Critical contacts and information documented for continuity
Examples:
- Deputy CISO: [TBD] acts as CISO during absence
- Internal Auditor Backup: Multiple auditors trained to ensure audit program continuity
4.5 Role Descriptions
Detailed role descriptions are maintained for key IMS roles:
Available Role Descriptions:
- SW-ISMS-ROLE-001: Chief Information Security Officer (CISO)
- SW-IMS-ROLE-XXX: IMS Owner (to be created)
- SW-IMS-ROLE-XXX: Quality Lead (to be created)
- SW-IMS-ROLE-XXX: Environmental Lead (to be created)
- SW-IMS-ROLE-XXX: Internal Auditor (to be created)
- SW-IMS-ROLE-XXX: Data Protection Officer (to be created)
- SW-IMS-ROLE-XXX: Department Manager (to be created)
- SW-IMS-ROLE-XXX: Employee Responsibilities (to be created)
Role descriptions include:
- Role summary and context
- Key responsibilities
- Authority and decision-making scope
- Required competencies (education, experience, skills)
- Time allocation estimates
- Performance indicators
- Relationships (internal and external)
5. Document Control
5.1 Document Information
| Attribute | Value |
|---|---|
| Document ID | SW-IMS-MAN-005 |
| Title | IMS Manual - Leadership (Clause 5) |
| Owner | CEO |
| Approver | CEO |
| Classification | Internal |
| Review Frequency | Annual |
5.2 Version History
| Version | Date | Author | Changes | Approved By |
|---|---|---|---|---|
| 1.0 | [TBD] | [IMS Owner name] | Initial creation for ISO certification | [CEO name] |
5.3 Approval
Next Review Date: [TBD - typically 12 months from effective date]
| Role | Name | Signature | Date |
|---|---|---|---|
| CEO | [TBD] | ||
| IMS Owner | [TBD] |
6. Related Documents
IMS Manual Sections:
- SW-IMS-MAN-001: Introduction and Overview
- SW-IMS-MAN-004: Context of the Organization (Clause 4)
- SW-IMS-MAN-006: Planning (Clause 6)
- SW-IMS-MAN-007: Support (Clause 7)
Policies:
- SW-IMS-POL-001: Integrated Management System Policy
- SW-QMS-POL-001: Quality Policy
- SW-EMS-POL-001: Environmental Policy
- SW-ISMS-POL-001: Information Security Policy
Role Descriptions:
- SW-ISMS-ROLE-001: Chief Information Security Officer (CISO)
- SW-IMS-ROLE-XXX: IMS Owner
- SW-IMS-ROLE-XXX: Quality Lead
- SW-IMS-ROLE-XXX: Environmental Lead
- SW-IMS-ROLE-XXX: Internal Auditor
- SW-IMS-ROLE-XXX: Data Protection Officer
- SW-IMS-ROLE-XXX: Department Manager
- SW-IMS-ROLE-XXX: Employee Responsibilities
Procedures:
- SW-IMS-PRO-004: Management Review Procedure
- SW-IMS-PRO-003: Internal Audit Procedure
- SW-IMS-PRO-002: Risk Assessment Procedure
- SW-IMS-PRO-001: Document Control Procedure
This document is approved by Swedwise AB management and is effective from the date specified above.
IMS Manual - Introduction and Overview
SW-IMS-MAN-001
Integrated Management System Policy
SW-IMS-POL-001
Quality Policy
SW-QMS-POL-001
Environmental Policy
SW-EMS-POL-001
Information Security Policy
SW-ISMS-POL-001
Chief Information Security Officer (CISO)
SW-ISMS-ROLE-001
IMS Owner / Management Representative
SW-IMS-ROLE-001
IMS Manual - Introduction and Overview
SW-IMS-MAN-001
Integrated Management System Policy
SW-IMS-POL-001
Quality Policy
SW-QMS-POL-001
Environmental Policy
SW-EMS-POL-001
Information Security Policy
SW-ISMS-POL-001
Chief Information Security Officer (CISO)
SW-ISMS-ROLE-001
IMS Owner / Management Representative
SW-IMS-ROLE-001