Mar 73 min read

ISO27001:2022 - A5.4 Management responsibilities

Updated: Aug 2

In the previous control, A5.3 Segregation of Duties we outlined our expectations of key personnel and teams, but control A5.4 has a slightly different focus and emphasis, that if missed could be problematic.

The handy guide to all ISO27001:2022 Annex A Controls

What does the standard require?

The standard states that “Management shall require all personnel to apply information security in accordance with the established Information security policy, topic-specific policies and procedures of the organisation.” (A5.4 Management Responsibilities)

This focus then is on three distinct areas;

· The high-level information security policy

· Topic specific policies (e.g. Data Protection, Remote working etc)

· Procedures (e.g Patch Management, Business Continuity etc)

Why is this required?

The purpose of this control is to ensure management understand their role in information security and undertake actions that ensure all personnel are aware of and fulfil their information security responsibilities.

This control clearly emphasises the critical role management plays in developing and supporting a culture that respects and understands information security. Leadership plays an incredibly important role within ISO27001 and within security. Without clear, demonstrable and visible support for information security, the whole programme is at worse, likely to fail and at best, be difficult to manage.

What the auditor is looking for

The auditor can look in a variety of places for evidence of compliance on this requirement, including;

Reviewing the security policies and procedures.

Looking at when they were developed, signed off and communicated is a good indication of how important this topic is.

Reviewing employment contracts

Reviewing employment contracts, and contractor contracts to see if the stipulate that adherence to company policies is a mandatory requirement.

Communication of the documented information security policy and procedures

These documents should be readily available to everyone who needs to review them, and should be easy to locate.

Internal communication and training

The auditor will want to see a variety of communications about security, including emails, newsletters, or company-wide briefings or announcements reiterating the importance of information security.

Employee training records

Evidence that training on information security policies and procedures has taken place, is a good indication that management are looking to ensure interested parties understand their roles and responsibilities.

The handy guide to all ISO27001:2022 Annex A Controls

Q & A

How often should policies be reviewed and re-communicated?

At the very least, policies should be reviewed and updated every 12mths. If there are any significant changes to the business structure, or infrastructure that impact on the policies or procedures, these should be updated. For example if there is a merger or demerger, it is likely that this will impact on the scope, size and shape of the organisation – which means the documentation needs a refresh.

How can management ensure interested parties are aware of their obligations?

For internal personnel this could be as simple as checking training records, 1-2-1 records and meetings. For other interested parties like suppliers, this could be in the form of a regular review of the contracts in place.

What happens if someone breaks a policy?

All policies should include a section (usually at the end) which states what will happen if the policies and procedures are not adhered to. Something along the lines which states that “A reach of our policies may be deemed to be a disciplinary matter and will be dealt with through that process.”

Difficulty rating

We rate this a 2 out of 5 difficulty rating. This means that it requires minimum technical skills to satisfy the requirement.

Consultants Like Us