ISO 27001:2022 Annex A Control 5.4: Management Responsibilities

In essence, Annex 5.4 of the ISO 27001:22 standard outlines how both employees and contractors should adhere to information security in line with an organisation’s policies and procedures. For all businesses, it is essential that management personnel are aware of and understand their responsibilities in relation to security – whether they are members of staff on the company payroll or consultants, board level executives or middle management responsible for just one or two other team members.

In particular, personnel with management responsibilities have a duty to ensure that those individuals who report into them have an understanding of business assets, threats and vulnerabilities, as well as their duties and expectations in relation to the ISMS.

Developing this knowledge and awareness typically requires an organisation to implement suitable training and engagement exercises with staff to up-skill team members and mitigate risks.

Management responsibilities: what you need to know

Once information security policies and procedures are in place and an organisation has committed to keeping them up to date, it is the duty of managers to enforce these processes and procedures. Not only that but staff should be encouraged to contribute to the continuous improvement of these processes and procedures based on their real-world experience.

Creating this buy-in begins at the very top of an organisation – at board level and senior management – before filtering down to middle and junior management levels.

What’s changed from ISO 27001:2013?

ISO 27001:2022 Annex A control 5.4 Management responsibilities directly relates to the previous control 7.2.1 from the ISO 27001:2013 standard. Updates to this annex are relatively minor but they serve to strengthen the standard’s requirement for a robust approach to organisational information security.

Notable updates include a more clearly defined approach to:

• Informing employees and contractors of their roles and responsibilities before they are given access to an organisation’s information assets
• Providing role-specific guidance on the expected level of information security awareness
• Following workplace rules such as working best practice and data security policies
• Maintaining continuous professional development in information security skills and qualifications with adequate time and resource provided to achieve this

Within Annex A 5.1, information security and topic-specific policies must be clearly defined and approved by senior managers before being published, communicated to and acknowledged by relevant employees and stakeholders.

According to both ISO 27001:2013 and ISO 27001:2022 a security policy should be developed that outlines how organisational data will be protected and that this framework has been approved by senior management.