These controls are often confused.
| Control | Main concern | Failure pattern | Good evidence |
|---|---|---|---|
| A.5.2 Information Security Roles and Responsibilities | Define and allocate information security roles and responsibilities | Nobody knows who owns what | Job descriptions, RACI, control owner register, signed responsibilities |
| A.5.4 Management Responsibilities | Managers require personnel to follow policies and procedures | Security is treated as IT’s problem and managers ignore behavior | Manager interviews, meeting notes, training follow-up, corrective actions |
Memory cues
A.5.2 asks:
Who is responsible and accountable?
A.5.4 asks:
Are managers making people follow the rules?
Practical example
Access control:
| Question | Related control |
|---|---|
| Who approves user access? | A.5.2 |
| Who ensures their team requests only appropriate access? | A.5.4 |
| Who implements access? | A.5.2 |
| Who follows up if access reviews are late? | A.5.4 |
| Who owns the access review control? | A.5.2 |
| Does management treat access review as important? | A.5.4 |
- Iso27001
- ISO27002
- Annex a
- Exam
- Comparison
Note Metadata
Aliases: Roles vs Management Responsibilities
Source: 02 Annex A Organizational Controls/A.5.2 vs A.5.4 Comparison.md