UnixTime

Research Note

ISO 27001 A.5.4 - Management Responsibilities

Management must require all personnel to apply information security in accordance with the organization's information security policy, topic-specific policies, and procedures.

On this page

Requirement

Requirement lens

Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.

Management must require all personnel to apply information security in accordance with the organization’s information security policy, topic-specific policies, and procedures.

Plain-language meaning

Managers must actively ensure that people follow information security requirements.

This is not just about senior leadership approving a policy. It is about managers making security part of daily operations.

Core idea

A.5.4 makes information security a management responsibility, not only a security team responsibility.

Managers are expected to:

  • communicate security expectations;
  • ensure personnel follow policies and procedures;
  • lead by example;
  • support security controls;
  • correct non-compliance;
  • ensure training happens;
  • reinforce security as part of normal work;
  • motivate personnel to support security;
  • monitor whether their teams comply.

The security team can create policies, advise, monitor, and report, but managers must ensure people in their area follow the requirements.

Difference between A.5.2 and A.5.4

Control Focus Question it answers
A.5.2 Information Security Roles and Responsibilities Define and allocate responsibilities Who is responsible for what?
A.5.4 Management Responsibilities Managers enforce and support secure behavior Are managers ensuring people follow the rules?

A.5.2 is about assignment.
A.5.4 is about management enforcement and leadership.

Implementation guidance

Implementer focus

Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.

1. Communicate expectations

Managers should make sure employees, contractors, and third-party users understand that information security is part of their job.

Examples:

  • discuss security during onboarding;
  • include security in team meetings;
  • remind staff about incident reporting;
  • reinforce acceptable use and data handling;
  • ensure role-specific procedures are followed.

2. Lead by example

If senior people ignore rules, the control is weak.

Poor leadership examples:

  • executives bypass MFA;
  • managers do not lock screens;
  • senior staff use personal email for company data;
  • leadership ignores phishing training;
  • managers approve exceptions without risk review;
  • privileged users share admin accounts.

A.5.4 expects managers to model the same behavior they require from others.

3. Verify compliance during daily work

Managers should not wait for an annual audit to discover non-compliance.

Area Management action
Access control Ensure team members have only required access
Training Track completion of awareness training
Incident reporting Encourage prompt reporting without blame
Data handling Check sensitive information is stored and shared correctly
Remote work Ensure secure remote access rules are followed
Change management Ensure changes are approved before implementation
Supplier use Ensure third parties follow agreed security requirements

4. Support security culture

Managers shape the real security culture.

People ignore security when they believe:

  • speed matters more than control;
  • management does not care;
  • exceptions are normal;
  • security is only a compliance exercise;
  • reporting issues will get them blamed.

Managers should make security recognized, valued, and part of normal performance.

5. Correct non-compliance

If people do not follow controls, managers should respond.

Possible responses:

  • coaching;
  • remedial training;
  • procedure clarification;
  • access restriction;
  • disciplinary action;
  • formal corrective action;
  • updating unclear procedures;
  • reporting repeated non-compliance to HR/security.

The response should be proportionate. A one-time mistake may need training; deliberate bypassing may require formal action.

6. Encourage improvement

Managers can strengthen security by encouraging personnel to report:

  • weaknesses;
  • near misses;
  • suspicious activity;
  • improvement ideas;
  • unclear procedures;
  • inefficient controls.

Recognition programs can help, but even basic positive reinforcement matters.

Evidence for A.5.4

Evidence What it shows
Meeting agendas mentioning security Security is part of routine management
Management communications Managers reinforce expectations
Training completion reports Managers ensure staff complete required training
Phishing test results and follow-up Managers support awareness and remediation
Corrective action records Non-compliance is addressed
Performance objectives Security is part of role expectations
Access review sign-offs Managers verify access appropriateness
Incident reporting records Managers support reporting and escalation
Recognition programs Good security behavior is encouraged
Staff interviews Employees confirm management messages are real
Executive compliance with rules Leadership sets the example

Audit guidance

Auditor focus

Look for evidence that the process operates in practice, not just that a document exists.

Auditors should test whether management support is real, not just written.

The first check is whether managers know their responsibilities. The next check is whether they actually act on them.

Audit tests

Audit test Evidence to request Good evidence
Managers understand responsibilities Manager interviews Managers can explain security duties
Security is communicated Meeting agendas, emails, briefings Security appears in routine communications
Managers enforce training LMS reports, escalation emails Managers follow up on non-completion
Managers lead by example Interviews, observation, compliance records Senior staff follow same rules
Non-compliance is addressed Remedial training, HR records, corrective actions Issues are corrected and tracked
Security is in day-to-day work Procedures, sign-offs, operational records Managers verify controls during normal work
Awareness effectiveness is reviewed Phishing tests, awareness metrics Results lead to follow-up actions
Personnel feel security is supported Staff interviews Employees say management takes security seriously
Positive behavior is encouraged Recognition, suggestions Good practices are reinforced

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control or process operated for real cases.

  • Managers discuss security in recurring meetings.
  • Managers track and follow up on training completion.
  • Phishing simulation results lead to targeted coaching.
  • Access reviews are signed by managers or system owners.
  • Non-compliance results in remedial training or corrective action.
  • Security expectations are included in performance objectives.
  • Employees say management takes security seriously.
  • Senior staff follow the same security rules as other personnel.
  • Managers encourage reporting of security weaknesses and incidents.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation, consistency, or effectiveness.

  • Management approved policies but never mentions them.
  • Managers ignore violations.
  • Executives have informal exceptions.
  • Training completion is poor and managers do not follow up.
  • Employees say security is “just an IT thing.”
  • Security is only discussed after incidents.
  • Managers pressure staff to bypass controls for speed.
  • No records show managers enforce procedures.

Common failures

Implementation watchouts

These are the fastest ways this topic fails in real ISMS work.

Failure Why it matters
Security treated as IT-only Business managers do not enforce behavior
Leadership bypasses controls Staff copy the behavior
No follow-up on training Awareness program loses credibility
No response to violations Non-compliance becomes normal
Security not in meetings Managers are not reinforcing expectations
Managers lack training They cannot enforce what they do not understand
Informal exceptions Control environment weakens

Exam traps

Exam focus

Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.

  • Management responsibility means only top management — wrong.
  • Security team enforces everything — wrong.
  • Approving a policy proves management responsibility — not enough.
  • Security awareness alone is enough — not enough.
  • Senior people can have informal exceptions — wrong; exceptions should be approved, risk-assessed, documented, and reviewed.

KB-ready summary

Quick refresher

Use this section for last-day review and for explaining the topic to a control owner.

A.5.4 requires managers to actively require personnel to follow information security policies, topic-specific policies, and procedures. Managers must communicate expectations, lead by example, verify compliance, support training, address non-compliance, and make security part of daily operations.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Organizational controls
  • Management
  • Security culture
  • Audit

Note Metadata

Aliases: A.5.4, Management Responsibilities

Source: 02 Annex A Organizational Controls/A.5.4 Management Responsibilities.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

5

links

01

Requirement context

Primary control text, framework notes, or adjacent controls this note points to.

02

Implementation artifacts

Templates and working records that help operate the control.

03

Audit checks

Audit questions, checklists, or review material connected to the control.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.