- See ISO 27002:2022 Control 5.4 for more information.
- See ISO 27001:2013 Annex A 7.2.1 for more information.
Ensuring Compliance: Management’s Guide to ISO 27001 Control 5.4
ISO 27001:2022, Annex A control 5.4, Management Responsibilities covers the need for management to ensure that all personnel stick to all the information security topic-specific policies and procedures as defined in the established information security policy of the organisation.
What Is ISO 27001:2022 Annex A 5.4 Management Responsibilities?
Employees and contractors should be aware of and fulfil their information security responsibilities as described in this Annex.
Annex A Control 5.4 describes how employees and contractors apply information security per the organisation’s policies and procedures.
The responsibilities placed upon managers should include requirements to:
- They must understand the information security threats, vulnerabilities, and controls relevant to their job roles and receive regular training (as outlined in Annex A 7.2.2).
- Reinforce the requirements of the terms and conditions of employment by ensuring buy-in to proactive and adequate support for applicable information security policies and controls in Annex A.
It is the responsibility of managers to ensure that security awareness and conscientiousness permeate the entire organisation and to establish an appropriate “security culture.”
Information Security Policies – What Are They?
An information security policy is a formal document that provides management direction, goals and principles for protecting an organisation’s information. To ensure the allocation of resources appropriately, an effective information security policy needs to be tailored to an organisation’s specific needs and supported by senior management.
It specifies how the company will protect its information assets and how employees should handle sensitive data.
Most information security policies are developed by senior management in conjunction with IT security staff and are derived from laws, regulations, and best practices.
A framework for defining roles and responsibilities and a review period should also be included in policies.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
Why Is ISO 27001:2022 Annex A 5.4 Significant?
Annex A Control 5.4 aims to ensure that management is aware of their responsibilities for information security.
It takes steps to ensure that all employees are aware of those responsibilities.
How Annex A 5.4 Works
Information is a valuable asset that must be protected against loss, damage, or misuse. Management must ensure that adequate measures are taken to protect this asset. To achieve this, management must ensure that all personnel adhere to the organisation’s information security policies, topical policies, and procedures.
Control 5.4 in Annex A defines management responsibility regarding information security in an organisation based on ISO 27001’s framework.
Management must be on board with the information security programme, and all employees and contractors must be aware of the information security policy and follow it. Security policies, topic-specific policies, and procedures should never be exempt from mandatory compliance by any employee or contractor.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
The Process of Annex A 5.4 and What to Expect
An organisation’s information security policies, standards, and procedures must be enforced by management to comply with this Annex A control.
Getting management’s support and buy-in is the first step.
To demonstrate commitment, management must follow all its policies and procedures. For example, if security awareness training is required annually, managers should complete those courses themselves.
Regardless of their position, everyone in the company must be aware of the importance of information security. As stated in the company’s ISMS programme, everyone must understand their role in maintaining the security of sensitive data. This includes the board of directors, executives and managers, and employees.
What Are the Changes and Differences From ISO 27001:2013?
ISO 27001:2022 Annex A 5.4 Management Responsibilities was previously known as Control 7.2.1 Management Responsibilities. It is not a newly added control but a more robust interpretation of the corresponding control in ISO 27001:2013.
There are a few differences between Annex A, control 5.4 and control 7.2.1. These differences are documented in the implementation guidance for both.
ISO 27001 Implementation Guidelines Comparison for Annex A 5.4
It is the responsibility of management to ensure that employees and contractors follow the following standards:
- Before accessing confidential information or information systems, employees are adequately trained in information security roles and responsibilities.
- Provide guidelines for stating the information security expectations of their role within the organisation.
An organisation must:
- Be motivated to ensure that the organisation’s information security policies are followed.
- Be familiar with their roles and responsibilities in terms of information security.
- Comply with the organisation’s information security policy and appropriate working methods.
- Ensure employees have the appropriate skills and qualifications and receive regular training.
- Reporting violations of information security policies or procedures can be done anonymously (“whistleblowing”).
Management should support information security policies, procedures, and Annex A controls.
Control 5.4 of Annex A is more user-friendly and requires that management ensures that employees and contractors follow the following guidelines:
A) Are informed of their responsibilities and roles in information security before access is granted to the organisation’s information.
B) Receive guidelines that specify the expected level of information security in their specific roles.
C) Fulfill the organisation’s information security policy and topic-specific policies.
D) Become aware of their role and responsibilities concerning information security.
E) Adherence to workplace rules, including the organisation’s data security policy and methods of working.
F) Continually educate yourself on information security skills and qualifications.
G) In cases of violations of information security policies, topic-specific policies or procedures (“whistleblowing”), employees should be provided with a confidential channel of communication. An anonymous reporting option or provisions ensuring that the identity of the reporter is only known to those who need to deal with these reports are possible.
H) Ensure adequate resources and project planning time to implement security-related processes and Annex A controls.
The ISO 27001:2022 standard explicitly demands that workers and contractors have access to the necessary resources and project planning time to implement security-related procedures and controls.
ISO 27001:2013 and ISO 27001:2022 use different wording for some implementation guidelines. For example, guideline C in 2013 states that employees and contractors should be ‘motivated’ to adopt ISMS policies; however, in 2022, the word ‘mandated’ is used.
Table of All ISO 27001:2022 Annex A Controls
In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Organisational Controls | Annex A 5.1 |
Annex A 5.1.1 Annex A 5.1.2 |
Policies for Information Security |
| Organisational Controls | Annex A 5.2 | Annex A 6.1.1 | Information Security Roles and Responsibilities |
| Organisational Controls | Annex A 5.3 | Annex A 6.1.2 | Segregation of Duties |
| Organisational Controls | Annex A 5.4 | Annex A 7.2.1 | Management Responsibilities |
| Organisational Controls | Annex A 5.5 | Annex A 6.1.3 | Contact With Authorities |
| Organisational Controls | Annex A 5.6 | Annex A 6.1.4 | Contact With Special Interest Groups |
| Organisational Controls | Annex A 5.7 | NEW | Threat Intelligence |
| Organisational Controls | Annex A 5.8 |
Annex A 6.1.5 Annex A 14.1.1 |
Information Security in Project Management |
| Organisational Controls | Annex A 5.9 |
Annex A 8.1.1 Annex A 8.1.2 |
Inventory of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.10 |
Annex A 8.1.3 Annex A 8.2.3 |
Acceptable Use of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.11 | Annex A 8.1.4 | Return of Assets |
| Organisational Controls | Annex A 5.12 | Annex A 8.2.1 | Classification of Information |
| Organisational Controls | Annex A 5.13 | Annex A 8.2.2 | Labelling of Information |
| Organisational Controls | Annex A 5.14 |
Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3 |
Information Transfer |
| Organisational Controls | Annex A 5.15 |
Annex A 9.1.1 Annex A 9.1.2 |
Access Control |
| Organisational Controls | Annex A 5.16 | Annex A 9.2.1 | Identity Management |
| Organisational Controls | Annex A 5.17 |
Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3 |
Authentication Information |
| Organisational Controls | Annex A 5.18 |
Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6 |
Access Rights |
| Organisational Controls | Annex A 5.19 | Annex A 15.1.1 | Information Security in Supplier Relationships |
| Organisational Controls | Annex A 5.20 | Annex A 15.1.2 | Addressing Information Security Within Supplier Agreements |
| Organisational Controls | Annex A 5.21 | Annex A 15.1.3 | Managing Information Security in the ICT Supply Chain |
| Organisational Controls | Annex A 5.22 |
Annex A 15.2.1 Annex A 15.2.2 |
Monitoring, Review and Change Management of Supplier Services |
| Organisational Controls | Annex A 5.23 | NEW | Information Security for Use of Cloud Services |
| Organisational Controls | Annex A 5.24 | Annex A 16.1.1 | Information Security Incident Management Planning and Preparation |
| Organisational Controls | Annex A 5.25 | Annex A 16.1.4 | Assessment and Decision on Information Security Events |
| Organisational Controls | Annex A 5.26 | Annex A 16.1.5 | Response to Information Security Incidents |
| Organisational Controls | Annex A 5.27 | Annex A 16.1.6 | Learning From Information Security Incidents |
| Organisational Controls | Annex A 5.28 | Annex A 16.1.7 | Collection of Evidence |
| Organisational Controls | Annex A 5.29 |
Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3 |
Information Security During Disruption |
| Organisational Controls | Annex A 5.30 | NEW | ICT Readiness for Business Continuity |
| Organisational Controls | Annex A 5.31 |
Annex A 18.1.1 Annex A 18.1.5 |
Legal, Statutory, Regulatory and Contractual Requirements |
| Organisational Controls | Annex A 5.32 | Annex A 18.1.2 | Intellectual Property Rights |
| Organisational Controls | Annex A 5.33 | Annex A 18.1.3 | Protection of Records |
| Organisational Controls | Annex A 5.34 | Annex A 18.1.4 | Privacy and Protection of PII |
| Organisational Controls | Annex A 5.35 | Annex A 18.2.1 | Independent Review of Information Security |
| Organisational Controls | Annex A 5.36 |
Annex A 18.2.2 Annex A 18.2.3 |
Compliance With Policies, Rules and Standards for Information Security |
| Organisational Controls | Annex A 5.37 | Annex A 12.1.1 | Documented Operating Procedures |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| People Controls | Annex A 6.1 | Annex A 7.1.1 | Screening |
| People Controls | Annex A 6.2 | Annex A 7.1.2 | Terms and Conditions of Employment |
| People Controls | Annex A 6.3 | Annex A 7.2.2 | Information Security Awareness, Education and Training |
| People Controls | Annex A 6.4 | Annex A 7.2.3 | Disciplinary Process |
| People Controls | Annex A 6.5 | Annex A 7.3.1 | Responsibilities After Termination or Change of Employment |
| People Controls | Annex A 6.6 | Annex A 13.2.4 | Confidentiality or Non-Disclosure Agreements |
| People Controls | Annex A 6.7 | Annex A 6.2.2 | Remote Working |
| People Controls | Annex A 6.8 |
Annex A 16.1.2 Annex A 16.1.3 |
Information Security Event Reporting |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Physical Controls | Annex A 7.1 | Annex A 11.1.1 | Physical Security Perimeters |
| Physical Controls | Annex A 7.2 |
Annex A 11.1.2 Annex A 11.1.6 |
Physical Entry |
| Physical Controls | Annex A 7.3 | Annex A 11.1.3 | Securing Offices, Rooms and Facilities |
| Physical Controls | Annex A 7.4 | NEW | Physical Security Monitoring |
| Physical Controls | Annex A 7.5 | Annex A 11.1.4 | Protecting Against Physical and Environmental Threats |
| Physical Controls | Annex A 7.6 | Annex A 11.1.5 | Working In Secure Areas |
| Physical Controls | Annex A 7.7 | Annex A 11.2.9 | Clear Desk and Clear Screen |
| Physical Controls | Annex A 7.8 | Annex A 11.2.1 | Equipment Siting and Protection |
| Physical Controls | Annex A 7.9 | Annex A 11.2.6 | Security of Assets Off-Premises |
| Physical Controls | Annex A 7.10 |
Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5 |
Storage Media |
| Physical Controls | Annex A 7.11 | Annex A 11.2.2 | Supporting Utilities |
| Physical Controls | Annex A 7.12 | Annex A 11.2.3 | Cabling Security |
| Physical Controls | Annex A 7.13 | Annex A 11.2.4 | Equipment Maintenance |
| Physical Controls | Annex A 7.14 | Annex A 11.2.7 | Secure Disposal or Re-Use of Equipment |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Technological Controls | Annex A 8.1 |
Annex A 6.2.1 Annex A 11.2.8 |
User Endpoint Devices |
| Technological Controls | Annex A 8.2 | Annex A 9.2.3 | Privileged Access Rights |
| Technological Controls | Annex A 8.3 | Annex A 9.4.1 | Information Access Restriction |
| Technological Controls | Annex A 8.4 | Annex A 9.4.5 | Access to Source Code |
| Technological Controls | Annex A 8.5 | Annex A 9.4.2 | Secure Authentication |
| Technological Controls | Annex A 8.6 | Annex A 12.1.3 | Capacity Management |
| Technological Controls | Annex A 8.7 | Annex A 12.2.1 | Protection Against Malware |
| Technological Controls | Annex A 8.8 |
Annex A 12.6.1 Annex A 18.2.3 |
Management of Technical Vulnerabilities |
| Technological Controls | Annex A 8.9 | NEW | Configuration Management |
| Technological Controls | Annex A 8.10 | NEW | Information Deletion |
| Technological Controls | Annex A 8.11 | NEW | Data Masking |
| Technological Controls | Annex A 8.12 | NEW | Data Leakage Prevention |
| Technological Controls | Annex A 8.13 | Annex A 12.3.1 | Information Backup |
| Technological Controls | Annex A 8.14 | Annex A 17.2.1 | Redundancy of Information Processing Facilities |
| Technological Controls | Annex A 8.15 |
Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3 |
Logging |
| Technological Controls | Annex A 8.16 | NEW | Monitoring Activities |
| Technological Controls | Annex A 8.17 | Annex A 12.4.4 | Clock Synchronization |
| Technological Controls | Annex A 8.18 | Annex A 9.4.4 | Use of Privileged Utility ProgramsAccess Rights |
| Technological Controls | Annex A 8.19 |
Annex A 12.5.1 Annex A 12.6.2 |
Installation of Software on Operational Systems |
| Technological Controls | Annex A 8.20 | Annex A 13.1.1 | Networks Security |
| Technological Controls | Annex A 8.21 | Annex A 13.1.2 | Security of Network Services |
| Technological Controls | Annex A 8.22 | Annex A 13.1.3 | Segregation of Networks |
| Technological Controls | Annex A 8.23 | NEW | Web filtering |
| Technological Controls | Annex A 8.24 |
Annex A 10.1.1 Annex A 10.1.2 |
Use of Cryptography |
| Technological Controls | Annex A 8.25 | Annex A 14.2.1 | Secure Development Life Cycle |
| Technological Controls | Annex A 8.26 |
Annex A 14.1.2 Annex A 14.1.3 |
Application Security Requirements |
| Technological Controls | Annex A 8.27 | Annex A 14.2.5 | Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents |
| Technological Controls | Annex A 8.28 | NEW | Secure Coding |
| Technological Controls | Annex A 8.29 |
Annex A 14.2.8 Annex A 14.2.9 |
Security Testing in Development and Acceptance |
| Technological Controls | Annex A 8.30 | Annex A 14.2.7 | Outsourced Development |
| Technological Controls | Annex A 8.31 |
Annex A 12.1.4 Annex A 14.2.6 |
Separation of Development, Test and Production Environments |
| Technological Controls | Annex A 8.32 |
Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4 |
Change Management |
| Technological Controls | Annex A 8.33 | Annex A 14.3.1 | Test Information |
| Technological Controls | Annex A 8.34 | Annex A 12.7.1 | Protection of Information Systems During Audit Testing |
[case_study_slider ids=”88859,101932,92016″ autoplay=”true” autoplay_speed=”5000″]
How Is This Process Managed?
Simply put, a company’s management ensures that an ISMS (Information Security Management System) is in place.
An information security manager who is qualified, experienced, and responsible for developing, implementing, managing, and continuously improving the ISMS should be appointed.
ISMS.online: How We Can Help
When implementing an ISO 27001-aligned ISMS, a key challenge is keeping track of your information security controls. Our system makes this process simple.
Our team understands the importance of protecting your organisation’s data and reputation. Consequently, our cloud-based platform simplifies the implementation of ISO 27001, enables you to establish a robust framework for information security controls, and helps you achieve certification quickly and easily.
Using ISMS.online, you can rapidly obtain ISO 27001 certification and manage it afterwards. Our platform has various user-friendly features and toolkits that will save you time and ensure you’re creating a robust ISMS.
Contact us today to schedule a demo.
