ISO27001 – Control 5.4 – Management Responsibilities


Management should require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organisation.

What this means


For an organisation to effectively protect its information assets, it’s not enough to just have security policies and procedures in place. The employees and personnel who handle that information daily need to be aware of the policies and diligent about following them. But ensuring this level of security awareness and compliance doesn’t happen automatically – it requires a concerted effort and on-going commitment from management.

Fundamentally, this control is about management understanding their roles and responsibilities when it comes to leading and developing a strong culture of information security across the entire staff team.

So what are some of the specific aspects management needs to oversee per this control? A few key areas to consider are:

Employee Induction and Briefings – Before granting access to information assets, personnel must be properly briefed on their security roles and responsibilities.

Communication of Expectations – Employees need to be provided with clear guidelines that lay out the security expectations for their particular role. This might be a policy or a discussion (which should be documented).

Policy Compliance – Management must ensure that all employees comply with the organisation’s information security policies and the contract of employment.

Awareness Training – Personnel should receive awareness training tailored to their role to ensure they have the right security knowledge.

Professional Education – Ongoing training opportunities and awareness raising activities should be provided to allow personnel to maintain and develop relevant security skills.

Whistleblowing – there should be a process in place for personnel to confidentially report security violations. this should usually be anonymous or allow the identity of the individual making the report to remain confidential.

Resourcing – Adequate resources and time is allocated for implementing security related processes and controls.

The underlying principle is that management actively demonstrates its commitment to information security – not just in the form of documented policies, but through consistent follow-through and raising awareness of information security with all personnel.

Information security can never be a “check the box” process. It requires a concentrated organisational effort united from the top-down and bottom-up. By fulfilling their obligations, management takes accountability for championing this effort and equipping personnel to uphold the organisation’s security objectives.

If you want to talk about information security in your organisation then please book a free call here or email us here