ISO 27001 A.5.4: Management responsibilities
What This Control Requires
Management shall require all personnel to apply information security in accordance with the established information security policy and topic-specific policies and procedures of the organization.
In Plain Language
Security policies are only worth the paper they are printed on if management actually enforces them. Publishing a policy and hoping for compliance is not enough - managers at every level need to actively drive adherence and, critically, lead by example. This means ensuring that staff receive proper security awareness training, understand their individual obligations, and have the resources they need to do the right thing. Managers also need to monitor compliance within their teams and act when violations occur - not look the other way. This does not stop at permanent employees. Contractors, temporary staff, and any third-party personnel accessing your information need to understand and agree to your security requirements before they get access. Management is responsible for making that happen.
How to Implement
Build a clear management accountability framework for security. Define what is expected of managers at each level - from first-line supervisors to senior executives - and build these expectations into their performance objectives and evaluations. Run a mandatory security awareness programme that everyone must complete before getting access to information systems. Cover your security policies, acceptable use requirements, incident reporting procedures, and what happens when people do not comply. Track completion rates and chase up anyone who has not finished. Create a proper new joiner process that includes security induction, policy sign-off, confidentiality agreements, and acknowledgement of responsibilities. This applies equally to contractors and temps. Give managers a checklist to work through for each new team member. Give managers the tools to monitor compliance - regular spot checks, access log reviews, participation in audits. Dashboards or periodic reports showing compliance metrics for their area are useful here. Establish a clear, fair, documented disciplinary process for policy violations and make sure managers know how to use it. Equally important: recognise and reward good security behaviour. A positive security culture is far more effective than a punitive one.
Evidence Your Auditor Will Request
- Security awareness training records showing management enforcement of completion
- Signed confidentiality and acceptable use agreements for all personnel
- Management performance objectives that include information security responsibilities
- Records of management actions taken to address security non-compliance
- New joiner security induction checklist and completion records
Common Mistakes
- Management does not lead by example and bypasses security controls themselves
- Security awareness training is optional or not tracked for completion
- Contractors and temporary staff are not included in security awareness programs
- No consequences for repeated policy violations leading to a culture of non-compliance
- Managers are unaware of their specific security oversight responsibilities
Related Controls Across Frameworks
Frequently Asked Questions
What happens when senior management does not support information security?
How should management handle security policy violations?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment