UnixTime

Research Note

A.5.2 vs A.5.4 Comparison

Research note.

On this page

These controls are often confused.

Control Main concern Failure pattern Good evidence
A.5.2 Information Security Roles and Responsibilities Define and allocate information security roles and responsibilities Nobody knows who owns what Job descriptions, RACI, control owner register, signed responsibilities
A.5.4 Management Responsibilities Managers require personnel to follow policies and procedures Security is treated as IT’s problem and managers ignore behavior Manager interviews, meeting notes, training follow-up, corrective actions

Memory cues

A.5.2 asks:

Who is responsible and accountable?

A.5.4 asks:

Are managers making people follow the rules?

Practical example

Access control:

Question Related control
Who approves user access? A.5.2
Who ensures their team requests only appropriate access? A.5.4
Who implements access? A.5.2
Who follows up if access reviews are late? A.5.4
Who owns the access review control? A.5.2
Does management treat access review as important? A.5.4
  • Iso27001
  • ISO27002
  • Annex a
  • Exam
  • Comparison

Note Metadata

Aliases: Roles vs Management Responsibilities

Source: 02 Annex A Organizational Controls/A.5.2 vs A.5.4 Comparison.md