ISO 27002:2022, Control 5.4 – Management Responsibilities

ISO 27002:2022 Revised Controls

Book a demo

business,communication,connection,working,concept

ISO 27002:2022, control 5.4, Management Responsibilities covers the need for management to ensure that all personnel stick to all the information security topic-specific policies and procedures as defined in the established information security policy of the organisation.

What is Control 5.4 Management Responsibilities

What is an information security policy?

An information security policy is a formal document that provides management direction, goals and principles for protecting an organisation’s information. An effective information security policy should be tailored to the specific needs of an organisation and supported by senior management to ensure appropriate allocation of resources.

The policy communicates the overarching principles on how management would like employees to handle sensitive data and how the company will protect its information assets.

The policy is often derived from laws, regulations and best practices that must be adhered to by the organisation. Information security policies are usually created by an organisation’s senior management, with input from its IT security staff.

Policies should also include a framework for defining roles and responsibilities and a timeline for periodic review.

Attributes Table

Attributes are a way to categorise different types of controls. These attributes allow you to align your controls with industry standards. In control 5.4 they are:

Control TypeInformation Security PropertiesCybersecurity ConceptsOperational CapabilitiesSecurity Domains
#Preventive#Confidentiality #Integrity #Availability#Identify#Governance#Governance and Ecosystem

ISMS.online will save you time and money

Get your quote

What Is The Purpose of Control 5.4?

Control 5.4 was designed to ensure that management understands their responsibility in information security and that they take steps to ensure that all employees are aware of and fulfil their information security obligations.

Control 5.4 Explained

Information is a valuable asset and must be protected from loss, damage or misuse. The organisation shall ensure that appropriate measures are taken to protect this asset. For this to happen, management must ensure that all personnel apply all the information security policy, topic-specific policies and procedures of the organisation.

Control 5.4 covers the purpose and implementation guidance for defining management responsibility with regards to information security in an organisation in line with the framework of ISO 27001.

This control is all about making sure that management is on board with the information security programme and that all employees and contractors are aware of and follow the organisation’s information security policy. No one should ever be exempt from mandatory compliance with the organisation’s security policies, topics-specific policies and procedures.

What Is Involved and How to Meet the Requirements

The key to meeting the requirements of this control is in ensuring that management is able to compel all relevant personnel to adhere to the organisation’s information security policies, standards, and procedures.

The first step is management buy-in and support. Management must demonstrate its commitment by following through on all policies and procedures it puts in place. For example, if you require workers to take annual security awareness training courses, managers should lead by example and complete those courses first.

Next comes communicating the importance of information security to everyone in the company, regardless of their role. This includes the board of directors, executives and management, as well as employees. Everyone must understand their role in maintaining the security of sensitive data as covered in the company’s ISMS programme.

Are you ready for
the new ISO 27002

We’ll give you an 81% headstart
from the moment you log in
Book your demo

Since migrating we’ve been able to reduce the time spent on administration.
Jodie Korber
Managing Director Lanrex
100% of our users pass certification first time
Book your demo

Differences between ISO 27002:2013 and ISO 27002:2022

ISO 27002:2022 control 5.4 Management Responsibilities was formerly known as control 7.2.1 Management Responsibilities in ISO 27002:2013. This is not a new control but a more robust interpretation of the 2013 version.

While control 5.4 and control 7.2.1 broadly covers the same thing, there are few differences that organisations and business managers should note. These differences are covered in the implementation guidance of the control.

Control 5.4 ISO 27002:2013-2022 Implementation Guidelines Compared

In ISO 27002: 2013, management responsibilities covers ensuring that employees and contractors:

a) are properly briefed on their information security roles and responsibilities prior to being granted access to confidential information or information systems;

b) are provided with guidelines to state information security expectations of their role within the
Organisation;

c) are motivated to fulfil the information security policies of the organisation;

d) achieve a level of awareness on information security relevant to their roles and responsibilities within the organisation;

e) conform to the terms and conditions of employment, which includes the organisation’s information security policy and appropriate methods of working;

f) continue to have the appropriate skills and qualifications and are educated on a regular basis;

g) are provided with an anonymous reporting channel to report violations of information security policies or procedures (“whistle blowing”).

Management should demonstrate support of information security policies, procedures and controls, and act as a role model.

Control 5.4 is a more user-friendly version and requires that management responsibilities ensures that employees and contractors:

a) Are properly briefed on their information security roles and responsibilities prior to being granted access to the organisation’s information and other associated assets;

b) Are provided with guidelines which state the information security expectations of their role within the organisation;

c) Are mandated to fulfil the information security policy and topic-specific policies of the organisation;

d) Achieve a level of awareness of information security relevant to their roles and responsibilities within the organisation;

e) Compliance with the terms and conditions of employment, contract or agreement, including the organisation’s information security policy and appropriate methods of working;

f) Continue to have the appropriate information security skills and qualifications through ongoing professional education;

g) Where practicable, are provided with a confidential channel for reporting violations of information security policy, topic-specific policies or procedures for information security (“whistleblowing”). This can allow for anonymous reporting, or have provisions to ensure that knowledge of the identity of the reporter is known only to those who need to deal with such reports;

h) Are provided with adequate resources and project planning time for implementing the organisation’s security-related processes and controls.

As you can see, ISO 27002:2022 specifically requires that in order to execute the organisation’s security-related procedures and controls, workers and contractors are supplied with necessary resources as well as project planning time.

The wordings in some of the implementation guidelines of ISO 27002:2013 vs ISO 27002:2020 were also affected. Where guideline C of the 2013 version states that employees and contractors be ‘motivated’ to adopt the company’s ISMS policies, 2022 uses the word ‘mandated’

Get a Headstart
on ISO 27002

The only compliance
solution you need
Book your demo

Get a Headstart on ISO 27001
  • All updated with the 2022 control set
  • Make 81% progress from the minute you log in
  • Simple and easy to use
Book your demo
img

Who Is In Charge Of This Process?

The answer to this question is pretty simple: the management! It is the responsibility of the management to ensure that a proper ISMS (Information Security Management System) is implemented.

This is normally supported by the appointment of a suitably qualified and experienced information security manager, who will be accountable to senior management for developing, implementing, managing and continually improving the ISMS.

How ISMS.online Helps

One of the biggest challenges in implementing an ISO 27001-aligned ISMS is keeping on top of your information security controls. Our system makes this easy.

We understand the importance of protecting your organisation’s data and reputation. That’s why our cloud-based platform is designed to simplify the implementation of ISO 27001, provide you with a robust framework of information security controls and help you achieve certification with minimal resources and time.

We’ve included a variety of user-friendly features and toolkits into our platform to save you time and guarantee you’re creating a really robust ISMS. With ISMS.online, you can easily obtain ISO 27001 certification and afterwards easily manage it.

Book a demo today.

ISMS.online is a
one-stop solution that radically speeded up our implementation.

Evan Harris
Founder & COO, Peppy

Book your demo

New Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.7NewThreat intelligence
5.23NewInformation security for use of cloud services
5.30NewICT readiness for business continuity
7.4NewPhysical security monitoring
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.16NewMonitoring activities
8.23NewWeb filtering
8.28NewSecure coding

Organisational Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.105.1.1, 05.1.2Policies for information security
5.206.1.1Information security roles and responsibilities
5.306.1.2Segregation of duties
5.407.2.1Management responsibilities
5.506.1.3Contact with authorities
5.606.1.4Contact with special interest groups
5.7NewThreat intelligence
5.806.1.5, 14.1.1Information security in project management
5.908.1.1, 08.1.2Inventory of information and other associated assets
5.1008.1.3, 08.2.3Acceptable use of information and other associated assets
5.1108.1.4Return of assets
5.12 08.2.1Classification of information
5.1308.2.2Labelling of information
5.1413.2.1, 13.2.2, 13.2.3Information transfer
5.1509.1.1, 09.1.2Access control
5.1609.2.1Identity management
5.17 09.2.4, 09.3.1, 09.4.3Authentication information
5.1809.2.2, 09.2.5, 09.2.6Access rights
5.1915.1.1Information security in supplier relationships
5.2015.1.2Addressing information security within supplier agreements
5.2115.1.3Managing information security in the ICT supply chain
5.2215.2.1, 15.2.2Monitoring, review and change management of supplier services
5.23NewInformation security for use of cloud services
5.2416.1.1Information security incident management planning and preparation
5.2516.1.4Assessment and decision on information security events
5.2616.1.5Response to information security incidents
5.2716.1.6Learning from information security incidents
5.2816.1.7Collection of evidence
5.2917.1.1, 17.1.2, 17.1.3Information security during disruption
5.30NewICT readiness for business continuity
5.3118.1.1, 18.1.5Legal, statutory, regulatory and contractual requirements
5.3218.1.2Intellectual property rights
5.3318.1.3Protection of records
5.3418.1.4Privacy and protection of PII
5.3518.2.1Independent review of information security
5.3618.2.2, 18.2.3Compliance with policies, rules and standards for information security
5.3712.1.1Documented operating procedures

People Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
6.107.1.1Screening
6.207.1.2Terms and conditions of employment
6.307.2.2Information security awareness, education and training
6.407.2.3Disciplinary process
6.507.3.1Responsibilities after termination or change of employment
6.613.2.4Confidentiality or non-disclosure agreements
6.706.2.2Remote working
6.816.1.2, 16.1.3Information security event reporting

Physical Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
7.111.1.1Physical security perimeters
7.211.1.2, 11.1.6Physical entry
7.311.1.3Securing offices, rooms and facilities
7.4NewPhysical security monitoring
7.511.1.4Protecting against physical and environmental threats
7.611.1.5Working in secure areas
7.711.2.9Clear desk and clear screen
7.811.2.1Equipment siting and protection
7.911.2.6Security of assets off-premises
7.1008.3.1, 08.3.2, 08.3.3, 11.2.5Storage media
7.1111.2.2Supporting utilities
7.1211.2.3Cabling security
7.1311.2.4Equipment maintenance
7.1411.2.7Secure disposal or re-use of equipment

Technological Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
8.106.2.1, 11.2.8User endpoint devices
8.209.2.3Privileged access rights
8.309.4.1Information access restriction
8.409.4.5Access to source code
8.509.4.2Secure authentication
8.612.1.3Capacity management
8.712.2.1Protection against malware
8.812.6.1, 18.2.3Management of technical vulnerabilities
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.1312.3.1Information backup
8.1417.2.1Redundancy of information processing facilities
8.1512.4.1, 12.4.2, 12.4.3Logging
8.16NewMonitoring activities
8.1712.4.4Clock synchronization
8.1809.4.4Use of privileged utility programs
8.1912.5.1, 12.6.2Installation of software on operational systems
8.2013.1.1Networks security
8.2113.1.2Security of network services
8.2213.1.3Segregation of networks
8.23NewWeb filtering
8.2410.1.1, 10.1.2Use of cryptography
8.2514.2.1Secure development life cycle
8.2614.1.2, 14.1.3Application security requirements
8.2714.2.5Secure system architecture and engineering principles
8.28NewSecure coding
8.2914.2.8, 14.2.9Security testing in development and acceptance
8.3014.2.7Outsourced development
8.3112.1.4, 14.2.6Separation of development, test and production environments
8.3212.1.2, 14.2.2, 14.2.3, 14.2.4Change management
8.3314.3.1Test information
8.3412.7.1Protection of information systems during audit testing
Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.