Requirement
Requirement lens
Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.
Management must require all personnel to apply information security in accordance with the organization’s information security policy, topic-specific policies, and procedures.
Plain-language meaning
Managers must actively ensure that people follow information security requirements.
This is not just about senior leadership approving a policy. It is about managers making security part of daily operations.
Core idea
A.5.4 makes information security a management responsibility, not only a security team responsibility.
Managers are expected to:
- communicate security expectations;
- ensure personnel follow policies and procedures;
- lead by example;
- support security controls;
- correct non-compliance;
- ensure training happens;
- reinforce security as part of normal work;
- motivate personnel to support security;
- monitor whether their teams comply.
The security team can create policies, advise, monitor, and report, but managers must ensure people in their area follow the requirements.
Difference between A.5.2 and A.5.4
| Control | Focus | Question it answers |
|---|---|---|
| A.5.2 Information Security Roles and Responsibilities | Define and allocate responsibilities | Who is responsible for what? |
| A.5.4 Management Responsibilities | Managers enforce and support secure behavior | Are managers ensuring people follow the rules? |
A.5.2 is about assignment.
A.5.4 is about management enforcement and leadership.
Implementation guidance
Implementer focus
Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.
1. Communicate expectations
Managers should make sure employees, contractors, and third-party users understand that information security is part of their job.
Examples:
- discuss security during onboarding;
- include security in team meetings;
- remind staff about incident reporting;
- reinforce acceptable use and data handling;
- ensure role-specific procedures are followed.
2. Lead by example
If senior people ignore rules, the control is weak.
Poor leadership examples:
- executives bypass MFA;
- managers do not lock screens;
- senior staff use personal email for company data;
- leadership ignores phishing training;
- managers approve exceptions without risk review;
- privileged users share admin accounts.
A.5.4 expects managers to model the same behavior they require from others.
3. Verify compliance during daily work
Managers should not wait for an annual audit to discover non-compliance.
| Area | Management action |
|---|---|
| Access control | Ensure team members have only required access |
| Training | Track completion of awareness training |
| Incident reporting | Encourage prompt reporting without blame |
| Data handling | Check sensitive information is stored and shared correctly |
| Remote work | Ensure secure remote access rules are followed |
| Change management | Ensure changes are approved before implementation |
| Supplier use | Ensure third parties follow agreed security requirements |
4. Support security culture
Managers shape the real security culture.
People ignore security when they believe:
- speed matters more than control;
- management does not care;
- exceptions are normal;
- security is only a compliance exercise;
- reporting issues will get them blamed.
Managers should make security recognized, valued, and part of normal performance.
5. Correct non-compliance
If people do not follow controls, managers should respond.
Possible responses:
- coaching;
- remedial training;
- procedure clarification;
- access restriction;
- disciplinary action;
- formal corrective action;
- updating unclear procedures;
- reporting repeated non-compliance to HR/security.
The response should be proportionate. A one-time mistake may need training; deliberate bypassing may require formal action.
6. Encourage improvement
Managers can strengthen security by encouraging personnel to report:
- weaknesses;
- near misses;
- suspicious activity;
- improvement ideas;
- unclear procedures;
- inefficient controls.
Recognition programs can help, but even basic positive reinforcement matters.
Evidence for A.5.4
| Evidence | What it shows |
|---|---|
| Meeting agendas mentioning security | Security is part of routine management |
| Management communications | Managers reinforce expectations |
| Training completion reports | Managers ensure staff complete required training |
| Phishing test results and follow-up | Managers support awareness and remediation |
| Corrective action records | Non-compliance is addressed |
| Performance objectives | Security is part of role expectations |
| Access review sign-offs | Managers verify access appropriateness |
| Incident reporting records | Managers support reporting and escalation |
| Recognition programs | Good security behavior is encouraged |
| Staff interviews | Employees confirm management messages are real |
| Executive compliance with rules | Leadership sets the example |
Audit guidance
Auditor focus
Look for evidence that the process operates in practice, not just that a document exists.
Auditors should test whether management support is real, not just written.
The first check is whether managers know their responsibilities. The next check is whether they actually act on them.
Audit tests
| Audit test | Evidence to request | Good evidence |
|---|---|---|
| Managers understand responsibilities | Manager interviews | Managers can explain security duties |
| Security is communicated | Meeting agendas, emails, briefings | Security appears in routine communications |
| Managers enforce training | LMS reports, escalation emails | Managers follow up on non-completion |
| Managers lead by example | Interviews, observation, compliance records | Senior staff follow same rules |
| Non-compliance is addressed | Remedial training, HR records, corrective actions | Issues are corrected and tracked |
| Security is in day-to-day work | Procedures, sign-offs, operational records | Managers verify controls during normal work |
| Awareness effectiveness is reviewed | Phishing tests, awareness metrics | Results lead to follow-up actions |
| Personnel feel security is supported | Staff interviews | Employees say management takes security seriously |
| Positive behavior is encouraged | Recognition, suggestions | Good practices are reinforced |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control or process operated for real cases.
- Managers discuss security in recurring meetings.
- Managers track and follow up on training completion.
- Phishing simulation results lead to targeted coaching.
- Access reviews are signed by managers or system owners.
- Non-compliance results in remedial training or corrective action.
- Security expectations are included in performance objectives.
- Employees say management takes security seriously.
- Senior staff follow the same security rules as other personnel.
- Managers encourage reporting of security weaknesses and incidents.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation, consistency, or effectiveness.
- Management approved policies but never mentions them.
- Managers ignore violations.
- Executives have informal exceptions.
- Training completion is poor and managers do not follow up.
- Employees say security is “just an IT thing.”
- Security is only discussed after incidents.
- Managers pressure staff to bypass controls for speed.
- No records show managers enforce procedures.
Common failures
Implementation watchouts
These are the fastest ways this topic fails in real ISMS work.
| Failure | Why it matters |
|---|---|
| Security treated as IT-only | Business managers do not enforce behavior |
| Leadership bypasses controls | Staff copy the behavior |
| No follow-up on training | Awareness program loses credibility |
| No response to violations | Non-compliance becomes normal |
| Security not in meetings | Managers are not reinforcing expectations |
| Managers lack training | They cannot enforce what they do not understand |
| Informal exceptions | Control environment weakens |
Exam traps
Exam focus
Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.
- Management responsibility means only top management — wrong.
- Security team enforces everything — wrong.
- Approving a policy proves management responsibility — not enough.
- Security awareness alone is enough — not enough.
- Senior people can have informal exceptions — wrong; exceptions should be approved, risk-assessed, documented, and reviewed.
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
A.5.4 requires managers to actively require personnel to follow information security policies, topic-specific policies, and procedures. Managers must communicate expectations, lead by example, verify compliance, support training, address non-compliance, and make security part of daily operations.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Organizational controls
- Management
- Security culture
- Audit
Note Metadata
Aliases: A.5.4, Management Responsibilities
Source: 02 Annex A Organizational Controls/A.5.4 Management Responsibilities.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
5
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Audit checks
Audit questions, checklists, or review material connected to the control.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO27001 ISMS KB - Start Here
- Information Security Policy
- Management Responsibilities
- Roles and Responsibilities
- ISO 27001 A.5.10 - Acceptable Use of Information and Other Associated Assets
- ISO 27001 A.5.11 - Return of Assets
- ISO 27001 A.5.2 - Information Security Roles and Responsibilities
- A.5.2 vs A.5.4 Comparison
- ISO 27001 A.5.5 - Contact with Authorities
- ISO 27001 A.5.8 - Information Security in Project Management
- A.5 Organizational Controls MOC
- ISO 27001 A.6.3 - Information Security Awareness, Education and Training
- ISO 27001 A.6.4 - Disciplinary Process
- A.5.4 Audit Evidence Pack
- AQ-ISO27001-A.5.4 Management Responsibilities
- A.5 Organizational Controls Implementation Guide
- ISMS Implementation Roadmap
- ISO27001-A.5.4 Management Responsibilities
- A.5 Controls Implementation Audit Risk Mapping
- EXAM-005 - Responsibility vs Accountability
- ISO 27002 Annex A Control Interpretation Map
- Template - A.5.4 Audit Checklist
- Template - Management Responsibilities Interview Questions
- Template - Management Security Responsibilities Checklist
- Template - Manager Security Accountability Statement
- Annex A Controls MOC
- ISO 27001 Overview