An organization's information security should be made by management not just the IT team. An Information Security Management System (ISMS) recognizes that responsibility resides with senior management. Building the ISMS is fundamentally a risk management exercise; and should reflect choices and provide evidence to show effectiveness of any implementation.
The responsibilities for carrying out the Information Security policies, however, are not just for management but are for every member of the organization. All employees are a part of the ISMS. If you do not train them, your organization is open for exploit. Every employee is a vital part of your defense. They are also a significant vulnerability.
According to the Verizon 2022 Data Breach Investigations Report, "The human element continues to drive breaches. This year 82% of breaches involved the human element. Whether it is the Use of stolen credentials, Phishing, Misuse, or simply an Error, people continue to play a very large role in incidents and breaches alike." Read the Report.
A mandatory staff awareness program, along with documented policies and procedures can help mitigate the risk of a breach and act as a guide in specific situations (e.g. how to report a phishing email). Well-communicated policies and procedures clearly demonstrate your organization’s position on security, and can help embed a security culture.
The implication for an ISMS project is that it need not be led by a technology expert. In fact, there are many circumstances in which that could prove counterproductive. ISMS implementation projects are often led by quality managers, general managers, or other executives who are in a position to develop something that has organization-wide influence and importance.