ISO 27001:2022 Annex A Control 5.4

Management Responsibilities

Book a demo

multiracial,young,creative,people,in,modern,office.,group,of,young

ISO 27001:2022, Annex A control 5.4, Management Responsibilities covers the need for management to ensure that all personnel stick to all the information security topic-specific policies and procedures as defined in the established information security policy of the organisation.

What Is ISO 27001:2022 Annex A 5.4 Management Responsibilities?

Employees and contractors should be aware of and fulfil their information security responsibilities as described in this Annex.

Annex A Control 5.4 describes how employees and contractors apply information security per the organisation’s policies and procedures.

The responsibilities placed upon managers should include requirements to:

  • They must understand the information security threats, vulnerabilities, and controls relevant to their job roles and receive regular training (as outlined in Annex A 7.2.2).
  • Reinforce the requirements of the terms and conditions of employment by ensuring buy-in to proactive and adequate support for applicable information security policies and controls in Annex A.

It is the responsibility of managers to ensure that security awareness and conscientiousness permeate the entire organisation and to establish an appropriate “security culture.”

Information Security Policies – What Are They?

An information security policy is a formal document that provides management direction, goals and principles for protecting an organisation’s information. To ensure the allocation of resources appropriately, an effective information security policy needs to be tailored to an organisation’s specific needs and supported by senior management.

It specifies how the company will protect its information assets and how employees should handle sensitive data.

Most information security policies are developed by senior management in conjunction with IT security staff and are derived from laws, regulations, and best practices.

A framework for defining roles and responsibilities and a review period should also be included in policies.

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Why Is ISO 27001:2022 Annex A 5.4 Significant?

Annex A Control 5.4 aims to ensure that management is aware of their responsibilities for information security.

It takes steps to ensure that all employees are aware of those responsibilities.

How Annex A 5.4 Works

Information is a valuable asset that must be protected against loss, damage, or misuse. Management must ensure that adequate measures are taken to protect this asset. To achieve this, management must ensure that all personnel adhere to the organisation’s information security policies, topical policies, and procedures.

Control 5.4 in Annex A defines management responsibility regarding information security in an organisation based on ISO 27001’s framework.

Management must be on board with the information security programme, and all employees and contractors must be aware of the information security policy and follow it. Security policies, topic-specific policies, and procedures should never be exempt from mandatory compliance by any employee or contractor.

The Process of Annex A 5.4 and What to Expect

An organisation’s information security policies, standards, and procedures must be enforced by management to comply with this Annex A control.

Getting management’s support and buy-in is the first step.

To demonstrate commitment, management must follow all its policies and procedures. For example, if security awareness training is required annually, managers should complete those courses themselves.

Regardless of their position, everyone in the company must be aware of the importance of information security. As stated in the company’s ISMS programme, everyone must understand their role in maintaining the security of sensitive data. This includes the board of directors, executives and managers, and employees.

What Are the Changes and Differences From ISO 27001:2013?

ISO 27001:2022 Annex A 5.4 Management Responsibilities was previously known as Control 7.2.1 Management Responsibilities. It is not a newly added control but a more robust interpretation of the corresponding control in ISO 27001:2013.

There are a few differences between Annex A, control 5.4 and control 7.2.1. These differences are documented in the implementation guidance for both.

ISO 27001 Implementation Guidelines Comparison for Annex A 5.4

It is the responsibility of management to ensure that employees and contractors follow the following standards:

  • Before accessing confidential information or information systems, employees are adequately trained in information security roles and responsibilities.
  • Provide guidelines for stating the information security expectations of their role within the organisation.

An organisation must:

  • Be motivated to ensure that the organisation’s information security policies are followed.
  • Be familiar with their roles and responsibilities in terms of information security.
  • Comply with the organisation’s information security policy and appropriate working methods.
  • Ensure employees have the appropriate skills and qualifications and receive regular training.
  • Reporting violations of information security policies or procedures can be done anonymously (“whistleblowing”).

Management should support information security policies, procedures, and Annex A controls.

Control 5.4 of Annex A is more user-friendly and requires that management ensures that employees and contractors follow the following guidelines:

A) Are informed of their responsibilities and roles in information security before access is granted to the organisation’s information.

B) Receive guidelines that specify the expected level of information security in their specific roles.

C) Fulfill the organisation’s information security policy and topic-specific policies.

D) Become aware of their role and responsibilities concerning information security.

E) Adherence to workplace rules, including the organisation’s data security policy and methods of working.

F) Continually educate yourself on information security skills and qualifications.

G) In cases of violations of information security policies, topic-specific policies or procedures (“whistleblowing”), employees should be provided with a confidential channel of communication. An anonymous reporting option or provisions ensuring that the identity of the reporter is only known to those who need to deal with these reports are possible.

H) Ensure adequate resources and project planning time to implement security-related processes and Annex A controls.

The ISO 27001:2022 standard explicitly demands that workers and contractors have access to the necessary resources and project planning time to implement security-related procedures and controls.

ISO 27001:2013 and ISO 27001:2022 use different wording for some implementation guidelines. For example, guideline C in 2013 states that employees and contractors should be ‘motivated’ to adopt ISMS policies; however, in 2022, the word ‘mandated’ is used.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

How Is This Process Managed?

Simply put, a company’s management ensures that an ISMS (Information Security Management System) is in place.

An information security manager who is qualified, experienced, and responsible for developing, implementing, managing, and continuously improving the ISMS should be appointed.

ISMS.online: How We Can Help

When implementing an ISO 27001-aligned ISMS, a key challenge is keeping track of your information security controls. Our system makes this process simple.

Our team understands the importance of protecting your organisation’s data and reputation. Consequently, our cloud-based platform simplifies the implementation of ISO 27001, enables you to establish a robust framework for information security controls, and helps you achieve certification quickly and easily.

Using ISMS.online, you can rapidly obtain ISO 27001 certification and manage it afterwards. Our platform has various user-friendly features and toolkits that will save you time and ensure you’re creating a robust ISMS.

Contact us today to schedule a demo.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

100% ISO 27001 success

Your simple, practical, time-saving path to first-time ISO 27001 compliance or certification

Book your demo
Assured Results Method

Streamline your workflow with our new Jira integration! Learn more here.