ISO 27002:2022, control 5.4, Management Responsibilities covers the need for management to ensure that all personnel stick to all the information security topic-specific policies and procedures as defined in the established information security policy of the organisation.
An information security policy is a formal document that provides management direction, goals and principles for protecting an organisation’s information. An effective information security policy should be tailored to the specific needs of an organisation and supported by senior management to ensure appropriate allocation of resources.
The policy communicates the overarching principles on how management would like employees to handle sensitive data and how the company will protect its information assets.
The policy is often derived from laws, regulations and best practices that must be adhered to by the organisation. Information security policies are usually created by an organisation’s senior management, with input from its IT security staff.
Policies should also include a framework for defining roles and responsibilities and a timeline for periodic review.
Attributes are a way to categorise different types of controls. These attributes allow you to align your controls with industry standards. In control 5.4 they are:
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Identify | #Governance | #Governance and Ecosystem |
ISMS.online will save you time and money
Get your quoteControl 5.4 was designed to ensure that management understands their responsibility in information security and that they take steps to ensure that all employees are aware of and fulfil their information security obligations.
Information is a valuable asset and must be protected from loss, damage or misuse. The organisation shall ensure that appropriate measures are taken to protect this asset. For this to happen, management must ensure that all personnel apply all the information security policy, topic-specific policies and procedures of the organisation.
Control 5.4 covers the purpose and implementation guidance for defining management responsibility with regards to information security in an organisation in line with the framework of ISO 27001.
This control is all about making sure that management is on board with the information security programme and that all employees and contractors are aware of and follow the organisation’s information security policy. No one should ever be exempt from mandatory compliance with the organisation’s security policies, topics-specific policies and procedures.
The key to meeting the requirements of this control is in ensuring that management is able to compel all relevant personnel to adhere to the organisation’s information security policies, standards, and procedures.
The first step is management buy-in and support. Management must demonstrate its commitment by following through on all policies and procedures it puts in place. For example, if you require workers to take annual security awareness training courses, managers should lead by example and complete those courses first.
Next comes communicating the importance of information security to everyone in the company, regardless of their role. This includes the board of directors, executives and management, as well as employees. Everyone must understand their role in maintaining the security of sensitive data as covered in the company’s ISMS programme.
We’ll give you an 81% headstart
from the moment you log in
Book your demo
Since migrating we’ve been able to reduce the time spent on administration.
ISO 27002:2022 control 5.4 Management Responsibilities was formerly known as control 7.2.1 Management Responsibilities in ISO 27002:2013. This is not a new control but a more robust interpretation of the 2013 version.
While control 5.4 and control 7.2.1 broadly covers the same thing, there are few differences that organisations and business managers should note. These differences are covered in the implementation guidance of the control.
In ISO 27002: 2013, management responsibilities covers ensuring that employees and contractors:
a) are properly briefed on their information security roles and responsibilities prior to being granted access to confidential information or information systems;
b) are provided with guidelines to state information security expectations of their role within the
Organisation;
c) are motivated to fulfil the information security policies of the organisation;
d) achieve a level of awareness on information security relevant to their roles and responsibilities within the organisation;
e) conform to the terms and conditions of employment, which includes the organisation’s information security policy and appropriate methods of working;
f) continue to have the appropriate skills and qualifications and are educated on a regular basis;
g) are provided with an anonymous reporting channel to report violations of information security policies or procedures (“whistle blowing”).
Management should demonstrate support of information security policies, procedures and controls, and act as a role model.
Control 5.4 is a more user-friendly version and requires that management responsibilities ensures that employees and contractors:
a) Are properly briefed on their information security roles and responsibilities prior to being granted access to the organisation’s information and other associated assets;
b) Are provided with guidelines which state the information security expectations of their role within the organisation;
c) Are mandated to fulfil the information security policy and topic-specific policies of the organisation;
d) Achieve a level of awareness of information security relevant to their roles and responsibilities within the organisation;
e) Compliance with the terms and conditions of employment, contract or agreement, including the organisation’s information security policy and appropriate methods of working;
f) Continue to have the appropriate information security skills and qualifications through ongoing professional education;
g) Where practicable, are provided with a confidential channel for reporting violations of information security policy, topic-specific policies or procedures for information security (“whistleblowing”). This can allow for anonymous reporting, or have provisions to ensure that knowledge of the identity of the reporter is known only to those who need to deal with such reports;
h) Are provided with adequate resources and project planning time for implementing the organisation’s security-related processes and controls.
As you can see, ISO 27002:2022 specifically requires that in order to execute the organisation’s security-related procedures and controls, workers and contractors are supplied with necessary resources as well as project planning time.
The wordings in some of the implementation guidelines of ISO 27002:2013 vs ISO 27002:2020 were also affected. Where guideline C of the 2013 version states that employees and contractors be ‘motivated’ to adopt the company’s ISMS policies, 2022 uses the word ‘mandated’
The answer to this question is pretty simple: the management! It is the responsibility of the management to ensure that a proper ISMS (Information Security Management System) is implemented.
This is normally supported by the appointment of a suitably qualified and experienced information security manager, who will be accountable to senior management for developing, implementing, managing and continually improving the ISMS.
One of the biggest challenges in implementing an ISO 27001-aligned ISMS is keeping on top of your information security controls. Our system makes this easy.
We understand the importance of protecting your organisation’s data and reputation. That’s why our cloud-based platform is designed to simplify the implementation of ISO 27001, provide you with a robust framework of information security controls and help you achieve certification with minimal resources and time.
We’ve included a variety of user-friendly features and toolkits into our platform to save you time and guarantee you’re creating a really robust ISMS. With ISMS.online, you can easily obtain ISO 27001 certification and afterwards easily manage it.
Book a demo today.
ISMS.online is a
one-stop solution that radically speeded up our implementation.
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
