ISO 27001 Management Responsibilities | Annex A 5.4 | The Lead Auditor’s Implementation and Audit Guide

/ By

ISO 27001 Annex A 5.4 Management Responsibilities is a security control that requires senior leadership to mandate information security policy adherence. The primary implementation requirement is a top-down governance framework where management provides resources and enforces accountability, delivering the business benefit of a robust, leadership-driven security culture across the workforce.

In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.4 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 5.4 Management Responsibilities

ISO 27001 Annex A 5.4 requires senior management to actively ensure that all personnel follow the organization’s information security policies and procedures. This control shifts security from being “the IT department’s problem” to a top-down leadership mandate. The goal is to ensure that management understands their role in fostering a security culture and provides the necessary resources, oversight, and legal frameworks to enforce data protection standards across the entire workforce.

  • Leaders are responsible for making sure everyone follows the security rules.
  • Companies need to train their staff so they know their part in keeping information safe.
  • Clear security policies and job duties should be written down for all to see.

Core requirements for compliance include:

  • Mandated Compliance: Management must require all staff and contractors to apply information security in accordance with established policies. This isn’t optional; it must be a condition of employment.
  • Resource Allocation: Leaders must provide adequate resources (budget, time, and tools) to implement and maintain the Information Security Management System (ISMS).
  • Competence & Skills: Management is responsible for ensuring that personnel are competent for their security roles. This involves maintaining a Competency Matrix to track training, experience, and certifications.
  • Contractual Enforcement: Security requirements must be explicitly stated in employment contracts and third-party agreements to ensure they are legally enforceable.
  • Whistleblowing Process: Management must implement a process that allows employees to report security concerns or violations anonymously and without fear of retaliation.

Audit Focus: Auditors will look for “The Leadership Signature”:

  1. Direct Evidence: “Show me the meeting minutes where senior management reviewed the risk register and approved the security budget.”
  2. The Whistleblower Test: “If an employee sees a manager bypassing security rules, how do they report it? Show me the documented process.”
  3. Policy Acknowledgement: They will check if all new hires, including senior executives, have signed their employment contracts and completed their initial security training.

Manager’s Monthly Checklist (Audit Prep):

Manager’s Monthly Checklist for ISO 27001 Annex A 5.4 Audit Prep
Action Why it matters Required Evidence ISO 27001:2022 Control
Brief the Team Reminds staff of specific security behaviors (e.g., screen locking). Team meeting minutes. Annex A 5.4 / 7.3
Check Compliance Verifies that all team members completed annual security training. Updated Training Log. Annex A 5.4 / 7.2
Enforce Rules Demonstrates that policy violations have consequences. Disciplinary note or email record. Annex A 5.4 / 5.4
Lead by Example Sets the cultural tone for the organization. Visual observation (e.g., wearing ID badges). Annex A 5.4 / Clause 5.1

Table of Contents

What is ISO 27001 Annex A 5.4?

ISO 27001 Management Responsibilities is ensuring that information security is led from the top down.

ISO 27001 Annex A 5.4 Management Responsibilities is an ISO 27001 control that requires management to ensure that people apply information security in line with documented policies and procedures.

ISO 27001 Annex A 5.4 Purpose

The purpose of Annex A 5.4 is to ensure management understand their role in information security and undertake actions aiming to ensure all personnel are aware of and fulfil their information security responsibilities.

ISO 27001 Annex A 5.4 Definition

The ISO 27001 standard defines ISO 27001 Management Responsibilities as:

Management should require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization.

ISO 27001 Annex A 5.4 Management Responsibilities

Watch the ISO 27001 Annex A 5.4 Tutorial

In the video ISO 27001 Annex A 5.4 Management Responsibilities Explained I show you how to implement it and how to pass the audit.

ISO 27001 Annex A 5.4 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.4 Management Responsibilities. The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex A 5.4 Implementation Guidance

You are going to have to ensure that:

  • information security roles and responsibilities are documented and people are briefed on them before they get access to information
  • guidelines for information security expectations are in place and they are shared with people
  • information security policies are in place and people are aware that they are mandated
  • implement information security training and awareness relevant to people’s roles
  • have terms and conditions of employment, contracts or agreements that include information security and relate to the policies
  • information security skills and qualifications where relevant are ongoing
  • you have a whistleblowing process
  • adequate resources are made available for information security related controls and processes.

1. Implement ISO 27001 Policies

To act in accordance with ISO 27001 information security policies and procedures you first need to implement them. Follow the guidance in The Ultimate Guide to ISO 27001 Annex A 5.1 Policies for Information Security

2. Document Roles and Responsibilities

It is straight forward to document the roles and responsibilities. Start with defining what the roles are. You state the name of the role and then list what the role is responsible for in terms of information security.

Example Information Security Roles

Typical roles that are required include, but is certainly not limited to:

  • CEO
  • Leadership
  • Information Security Management Leadership
  • Information Security Manager
  • Management Review Team
  • Third Party Supplier Manager
  • Business Continuity Manager
  • Information Owners
  • Information Security Incident Management

Example Information Security Responsibilities

An example of information security responsibilities assigned to a role would be the role of the CEO. Let’s take a look:

CEO

  • Sets the company direction for information security
  • Promotes a culture of information security aligned to the business objectives
  • Signs off and agrees on resources, objectives, risks and risk treatment

3. Ensure People are Competent

Once people are assigned then we are going to record and manage their competence to perform the role. Usually this is a measure of experience and training. You are going to create and maintain an ISO 27001 Competency Matrix.

4. Engage with HR

You have a reliance on HR. There are many HR process that will come into play throughout the implementation, including on boarding new employees, off boarding when people leave, disciplinary processes and more. Specific to this particular clause you are going to have terms and conditions of employment, contracts or agreements that include information security and relate to the policies. You are going to work to ensure that information security is part of all HR process as appropriate.

5. Communicate and Train

A large part of this control is communication and training. Actually telling people what is expected of them. Having a communication plan in place that covers what you will communicate, when, to whom and how is a great way to set a structure for the year. Telling people where policies are, how to report incidents, who they can speak to about information security are some of the basics. Alongside this you will have training on a range of topics and requirements – you can learn more in The Ultimate Guide to ISO 27001 Annex A 6.3 Information Security Awareness, Education and Training

For further guidance read How to Implement ISO 27001:2022 Annex A 5.4

How to implement ISO 27001 Annex A 5.4

Implementing ISO 27001 Annex A 5.4 requires a definitive shift from passive approval to active security leadership. This control mandates that management at all levels demonstrates a commitment to the Information Security Management System (ISMS) by ensuring personnel follow established security protocols. By embedding security requirements into daily operations and human resource processes, organisations create a culture of accountability. This technical guide outlines the action-oriented steps to formalise management oversight and satisfy lead auditor requirements.

1. Formalise Information Security Roles and Responsibilities

Establish clear lines of accountability by documenting security duties within job descriptions and organisational charts. This action results in a structured governance framework where every employee and manager understands their specific obligations toward data protection.

  • Define specific security roles using a RACI matrix (Responsible, Accountable, Consulted, Informed) to eliminate ambiguity in decision making.
  • Incorporate security-related performance objectives into annual staff appraisals to incentivise policy adherence.
  • Assign Identity and Access Management (IAM) oversight roles to departmental managers to ensure the principle of least privilege is maintained for their teams.

2. Provision Resources for Technical and Organisational Controls

Execute the allocation of budget, personnel, and technology required to maintain the ISMS. This result-focused step ensures that security initiatives are not delayed by resource constraints and that the organisation possesses the tools necessary to defend its information assets.

  • Allocate dedicated funding for critical technical safeguards, such as Multi-Factor Authentication (MFA) and Endpoint Detection and Response (EDR) solutions.
  • Provision time for staff to engage in mandatory security awareness training and incident response tabletop exercises.
  • Ensure the availability of Subject Matter Experts (SMEs) to guide project teams on security-by-design principles.

3. Enforce Policy Adherence Through Visible Leadership

Demonstrate management commitment by lead-by-example participation in security protocols. This action results in increased workforce engagement and validates the importance of the Acceptable Use Policy (AUP) across the entire hierarchy.

  • Require senior leadership to sign off on core security policies, documenting their approval for audit evidence.
  • Ensure managers regularly communicate security updates and threat alerts during departmental briefings.
  • Verify that leadership personnel undergo the same rigorous background screening and training requirements as junior staff to maintain internal trust.

4. Establish a Formalised Disciplinary Process for Security Violations

Coordinate with Human Resources to document a transparent process for handling security non-compliance. This action results in a credible deterrent against negligence and provides a clear “Rules of Engagement” (ROE) document for policy enforcement.

  • Define a tiered disciplinary framework that distinguishes between accidental errors and intentional policy violations.
  • Ensure the disciplinary process is communicated clearly to all employees during the onboarding phase.
  • Maintain confidential logs of disciplinary actions taken as evidence for auditors to prove the control is active and enforced.

5. Operationalise Whistleblowing and Reporting Mechanisms

Deploy secure channels that allow personnel to report risks or policy violations without fear of reprisal. This fosters a transparent security culture where management is alerted to vulnerabilities before they are exploited.

  • Implement an anonymous reporting tool or dedicated email alias for security concerns.
  • Document a non-retaliation clause within the Information Security Policy to protect whistleblowers.
  • Review reported incidents monthly to identify cultural trends or recurring policy gaps.

6. Mandate Security Competency and Awareness Baselining

Direct the implementation of a continuous training program that verifies staff competence. This ensures that management does not simply assume security knowledge but actively validates it through testing and simulation.

  • Authorise the use of phishing simulation campaigns to test real-world user resilience.
  • Review training completion rates for high-risk groups, such as Finance and DevOps teams.
  • Link training outcomes to access privileges: requiring course completion before granting access to sensitive Asset Registers.

7. Integrate Security into Change Management Workflows

Embed security oversight into the operational change process to prevent unauthorised or risky modifications. This action ensures management retains control over the technical environment and maintains system integrity.

  • Appoint security representatives to the Change Advisory Board (CAB) to review significant infrastructure changes.
  • Enforce a strict separation of duties (SoD) between development and production environments.
  • Require management approval for emergency changes or “break-glass” procedures.

8. Define External Interface and Vendor Responsibilities

Extend management responsibility to the supply chain by defining how third parties interact with organisational data. This mitigates the risk of data breaches originating from vendors or contractors.

  • Mandate security schedules and Right to Audit clauses in all supplier contracts.
  • Assign internal contract owners responsible for monitoring vendor security performance.
  • Review third-party access logs regularly to ensure adherence to the agreed Scope of Work.

9. Execute Regular Management Reviews of Security Performance

Perform structured reviews of ISMS metrics, audit findings, and incident reports. This result-oriented step allows management to identify systemic weaknesses and authorise corrective actions to ensure continuous improvement.

  • Schedule quarterly management review meetings in alignment with ISO 27001 Clause 9.3 requirements.
  • Analyse Key Performance Indicators (KPIs), such as the time taken to revoke access for leavers or training completion rates.
  • Document the minutes and action items from these reviews to provide a verifiable trail of management involvement in security governance.

10. Verify Effectiveness via Independent Internal Audit

Commission impartial audits to validate that management responsibilities are being discharged effectively. This provides the Board with objective assurance that the security governance framework is functioning as intended.

  • Approve an annual Internal Audit Programme that covers leadership and governance controls.
  • Ensure auditors have direct access to the Board or Audit Committee to report findings without interference.
  • Track the closure of Non-Conformities (NCs) raised against management controls to demonstrate continuous improvement.

ISO 27001 Roles and Responsibilities Template

The Documented Roles and Responsibilities Template has the roles already defined with the responsibilities already written.

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities Template

ISO 27001 Competency Template

For competency the great ISO 27001 Competency Matrix will get you up to speed fast.

ISO 27001 Competency Matrix Template

Manager’s Monthly Checklist Example

ActionWhy?Evidence
Brief TeamRemind staff of policies (e.g., locking screens).Meeting Minutes.
Check ComplianceVerify staff completed security training.Training Log.
Enforce RulesCorrect bad behavior (e.g., password sharing).Disciplinary Note / Email.
Lead by ExampleWear ID badge visible at all times.Visual Observation (Audit).

How to comply

To comply with ISO 27001 Annex A 5.4 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:

How to pass the ISO 27001 Annex A 5.4 audit

To pass an audit of ISO 27001 Annex A 5.4 Management Responsibilities you are going to make sure that you have followed the steps above in how to comply.

What an auditor looks for

The audit is going to check a number of areas. Lets go through the main ones

ISO 27001 Annex A 5.4 Audit Evidence Checklist
Audit Focus Area Required Evidence & Auditor Expectations
Contractual Obligations The audit will verify that signed, in-date contracts are in place for all employees, contractors, and third parties. These contracts must explicitly state information security requirements and responsibilities.
Security Training & Awareness Auditors require evidence of role-specific information security training. This includes training logs, completion certificates, and digital records confirming that staff have read and accepted relevant policies.
Whistleblowing Process You must demonstrate a documented process that allows personnel to report information security issues anonymously and without fear of reprisal (protected disclosure).

How to audit ISO 27001 Annex A 5.4

Read the following for guidance on How to Audit ISO 27001 Annex A 5.4

Auditing ISO 27001 Annex A 5.4 requires a forensic approach to verify that management is not merely signing documents but actively driving the Information Security Management System (ISMS). An auditor will look for evidence that the “tone at the top” translates into tangible operational reality. This technical audit guide outlines the specific evidence, interview questions, and observations required to validate that management responsibilities are being discharged effectively in compliance with the 2022 standard.

1. Interview Senior Management on ISMS Objectives

Conduct direct interviews with top management to assess their understanding of the ISMS. The goal is to determine if they can articulate the organisation’s security objectives without relying on a script.

  • Ask specific questions about the organisation’s top three information security risks and how they are currently being mitigated.
  • Request evidence that management communicates the importance of effective information security to all staff (e.g., town hall emails or video briefings).
  • Verify that they understand their specific accountability for the effectiveness of the ISMS.

2. Review Management Review Meeting Minutes

Examine the minutes from the most recent Management Review Meetings (MRM) to ensure security is a standing agenda item. This confirms that governance is active rather than theoretical.

  • Check for documented decisions regarding risk acceptance, budget approval, and resource allocation.
  • Verify that action items assigned to management during previous meetings have been tracked to closure.
  • Ensure the minutes reflect a review of audit results and feedback from interested parties.

3. Inspect Job Descriptions and Organisational Charts

Audit HR documentation to verify that information security responsibilities are formally defined and communicated. Ambiguity in roles is a common major non-conformity.

  • Sample a cross-section of job descriptions (including non-IT roles) to check for specific security clauses.
  • Review the organisational chart to ensure the CISO or Security Lead has a direct reporting line to top management.
  • Check signed induction checklists to confirm new hires have acknowledged their security responsibilities.

4. Validate Resource Allocation and Budgeting

Request financial or project evidence that management has provided adequate resources for the ISMS. A policy without a budget is effectively an empty promise.

  • Review purchase orders or invoices for security tools such as Multi-Factor Authentication (MFA) or Endpoint Detection and Response (EDR).
  • Check resource planning documents to ensure staff have allocated time for ISMS maintenance tasks (e.g., internal audits).
  • Confirm that budget requests for critical security remediation have been reviewed and approved.

5. Audit Security Awareness and Training Records

Examine the training matrix to verify that management enforces competency requirements across the organisation. High completion rates demonstrate management commitment.

  • Check the Learning Management System (LMS) for 100% completion rates of mandatory onboarding training.
  • Review records for targeted training provided to high-risk roles, such as developers or finance teams.
  • Look for evidence of remedial training assigned to staff who fail phishing simulations.

6. Verify the Whistleblowing and Reporting Process

Test the mechanisms available for staff to report security concerns. An effective management system must provide a safe channel for feedback.

  • Inspect the anonymous reporting tool or email workflow to ensure it is functional and monitored.
  • Review the log of reported incidents to see if they are being triaged and investigated within agreed SLAs.
  • Check the Whistleblowing Policy to ensure it explicitly protects reporters from retaliation.

7. Examine Disciplinary Process Documentation

Review the disciplinary policy to ensure there is a clear framework for handling security violations. This acts as the enforcement arm of management responsibility.

  • Check that the Acceptable Use Policy (AUP) links directly to the disciplinary procedure.
  • Interview HR to confirm that the process applies equally to all staff, including senior management.
  • Review redacted records of past disciplinary actions (if any) to verify consistent application of the policy.

8. Observe “Tone at the Top” in Daily Operations

Conduct a physical or virtual walkthrough to observe if management follows their own rules. Leadership behaviour sets the standard for the rest of the organisation.

  • Check if managers are wearing their ID badges and locking their screens when away from their desks.
  • Observe if sensitive documents are left on printers or desks in management offices (Clear Desk Policy).
  • Verify that managers do not bypass security controls, such as sharing accounts or disabling MFA.

9. Review Change Management Approvals

Audit the Change Advisory Board (CAB) records to verify management oversight on infrastructure changes. This ensures that security risks are considered before deployment.

  • Select a sample of “Emergency Changes” and verify that they received retrospective management sign-off.
  • Check that significant changes to the ISMS scope or risk profile were discussed in management meetings.
  • Ensure that segregation of duties is maintained in the approval workflow.

10. Check Follow-Up on Non-Conformities

Review the Corrective Action Log to see how management responds to issues. A healthy ISMS is defined by how it fixes problems, not just by the absence of them.

  • Verify that management allocates resources to fix root causes identified in previous audits.
  • Check that overdue non-conformities are flagged to senior leadership for escalation.
  • Ensure that the “effectiveness of action taken” is reviewed and signed off by a responsible manager.

Top 3 ISO 27001 Annex A 5.4 Mistakes and How to Fix Them

In my experience, the top 3 mistakes people make for ISO 27001 Annex A 5.4 Management Responsibilities are:

  1. You have no contracts in place: You need to have contracts in place and they need to include relevant information security requirements. This can often be overlooked or the contracts that you have can be out of date. It is a good idea to check before the audit.
  2. One or more members of your team haven’t done what they should have done: Prior to the audit check that all members of the team have done what they should have. Do they know where the policies are? Have they acknowledged them? Did someone join last month and forget to do it? Check!
  3. Your document and version control is wrong: Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Applicability of ISO 27001 Annex A 5.4 across different business models.

Applicability of ISO 27001 Annex A 5.4 across different business models.
Business Type Applicability & Interpretation Examples of Control
Small Businesses

Tone from the Top. In a small team, if the owner bypasses security (e.g., sharing passwords), everyone else will too. Compliance requires management to lead by example, not just sign a policy.

The “CEO Training” Rule: Ensuring the Managing Director completes the same cybersecurity awareness training as the newest intern. • Visible Enforcement: The owner actively using the company Password Manager during team meetings to demonstrate it is mandatory.
Tech Startups

Culture over Compliance. Management responsibility isn’t just about the CISO; it’s about Engineering Leads enforcing secure coding standards. It prevents “Security” from becoming a blocker to “Shipping.”

Blocker Authority: Empowering Engineering Managers to block a release if security checks fail, proving that safety outranks speed. • Resource Allocation: Explicitly budgeting developer hours in the sprint for “Security Debt” repayment, authorized by the CTO.
AI Companies

Ethical Oversight. Management must take responsibility for the safety of the models they release. This goes beyond data security into AI alignment and preventing misuse.

Model Sign-off: A “Go/No-Go” release meeting where the Head of Research must sign off on the safety report before a model is deployed. • Whistleblowing Channels: Establishing a clear, anonymous channel for researchers to report safety concerns about model behavior directly to the Board.

Fast Track ISO 27001 Annex A 5.4 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 5.4 (Management responsibilities), the requirement is for management to ensure that all personnel apply information security in accordance with established policies and procedures. This is about “top-down” leadership and ensuring the management team actively oversees the security culture.

Fast Track ISO 27001 Annex A 5.4 Compliance: SaaS vs. Toolkit
Compliance Factor SaaS Compliance Platforms High Table ISO 27001 Toolkit Audit Evidence Example
Policy Ownership Rents access to your leadership mandates; if you cancel the subscription, your documented management roles and approval history vanish. Permanent Assets: Fully editable Word/Excel Management Responsibility Policies and Role Descriptions you own forever. A localized “Management Responsibility Policy” signed by the CEO, defining security accountability for all department heads.
Leadership Utility Attempts to “automate” leadership via dashboards that cannot conduct management reviews or decide on resource allocation. Governance-First: Provides the framework for actual leadership engagement, policy approval, and security culture driving. A completed “Management Review Minute” proving that leadership reviewed ISMS performance and approved the annual budget.
Cost Efficiency Charges a “Leadership Tax” based on the number of admin seats or managers, creating perpetual overhead for core accountability. One-Off Fee: A single payment covers your management governance whether you have 2 directors or 20. Allocating budget to actual security awareness initiatives or infrastructure rather than monthly “governance dashboard” fees.
Strategic Freedom Mandates rigid reporting formats that often fail to align with agile leadership styles or specialized organizational structures. 100% Agnostic: Procedures adapt to your operating style—from flat startup structures to complex global hierarchies. The ability to evolve your management reporting lines and security committee structure without reconfiguring a rigid SaaS module.

Summary: For Annex A 5.4, the auditor wants to see that management is actively involved and that people are held accountable for security responsibilities. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

Mapping ISO 27001 Annex A 5.4 Management Responsibilities to Global Industry Standards and Laws
Industry Standard / Law Relevant Section / Requirement Mapping to Management Responsibilities (A.5.4)
NIST SP 800-53 (Rev. 5) PL-4 (Rules of Behaviour) & PM-10 Management must establish and sign “Rules of Behaviour.” Mirrors A.5.4’s requirement for management to mandate policy adherence.
NIS2 Directive (EU) Article 20 (Governance) Mandates that “management bodies” approve and oversee risk management. Introduces personal liability for senior leaders for non-compliance.
DORA (EU) Article 5 (Governance) Places “ultimate responsibility” on the Board for ICT risk. Management must ensure staff are trained and roles are executed as defined in the ICT strategy.
SOC2 (AICPA) CC1.3 (COSO Principle 3) Management must establish “Tone at the Top” and hold individuals accountable for their internal control responsibilities.
UK Data (Use & Access) Act 2025 Governance & Accountability Reforms While reducing “paperwork”, it requires management to justify “Recognised Legitimate Interests” and ensure high security thresholds for automated decision-making.
UK Cyber Security & Resilience Bill MSPs & Senior Liability Expands reporting duties for Managed Service Providers. Management must ensure personnel are “competent” (often mapped to UK Cyber Security Council titles).
CIRCIA (USA) Reporting Governance Requires management to ensure staff are capable of identifying and reporting “covered incidents” to CISA within 72 hours.
EU Product Liability Directive (PLD) Strict Liability for Software Management is strictly liable for cybersecurity flaws in software. Requires management oversight of the entire product lifecycle to ensure “safety-relevant” security.
ECCF (EU Certification) Harmonised Security Labels Management must attest to the “Self-Assessment” or “Third-Party” certification levels (Basic, Substantial, High) for products and services.
EU AI Act Article 17 (Quality Management) Providers of High-Risk AI must implement a QMS where management is accountable for data quality, human oversight, and post-market monitoring.
ISO/IEC 42001 (AI Management) Clause 5.1 (Leadership) Direct alignment. Management must provide resources and ensure AI security objectives are integrated into business processes.
GDPR (EU/UK) Article 5(2) & 24 The “Accountability Principle.” Management must demonstrate they have implemented appropriate technical and organisational measures.
HIPAA (USA) 45 CFR § 164.308 (Admin Safeguards) Requires a “Security Management Process” including Sanction Policies (A.5.4’s disciplinary requirement) and assigned security responsibility.
CCPA / CPRA (California) Section 1798.100 (Governance) Requires management to assign a “team or individual” responsible for privacy and perform annual risk assessments/audits.

ISO 27001:2013 vs 2022: The Annex A 5.4 Transition

If you are upgrading your Information Security Management System from the old 2013 standard to the 2022 revision, you might be wondering exactly what changed here. Let me put your mind at rest. The concept of management responsibility is not new, but the 2022 update makes it far more explicit.

In the 2013 standard, this requirement was primarily housed under Annex A 7.2.1 (Management Responsibilities). The 2022 update consolidated and modernised this into Annex A 5.4, absorbing broader governance requirements and placing it firmly in the organisational controls section. The core difference is the emphasis on active enforcement. It is no longer enough to just publish a policy and hope for the best. The 2022 standard requires demonstrable proof that management is actively requiring personnel to apply security practices. If you are migrating, you need to ensure your evidence shifts from passive documentation to active enforcement records.

Key Performance Indicators (KPIs) for Annex A 5.4

As a Lead Auditor, I do not care about your good intentions. I care about your evidence. You can tell me that your management team takes security seriously, but I need to see the numbers that prove A.5.4 is actually functioning in the real world.

Here are the specific KPIs you should be tracking and presenting during your management review meetings to prove compliance:

  • Policy Acknowledgement Rate: Target 100% of employees digitally signing the Information Security Policy within 14 days of joining or within 14 days of a major policy update.
  • Access Revocation SLA Adherence: The percentage of times IT successfully revokes system access for departing employees within the agreed timeframe (e.g. 24 hours of termination).
  • Phishing Simulation Competency: Departmental failure rates in regular phishing simulations. This proves management is actively measuring and responding to the competence of their staff.
  • Security Budget Realisation: The percentage of proposed information security initiatives and toolsets approved by the board in the annual budget cycle.

How to Overcome C-Suite Resistance

The hardest part of implementing Annex A 5.4 is rarely the documentation. It is the internal politics. Getting the C-Suite to care about information security when they are focused on sales targets and growth can feel like an uphill battle.

The trick is translation. The board speaks the language of risk, revenue, and legal liability. You must stop talking about firewalls and start talking about business continuity. When you pitch your security needs, tie non-compliance directly to lost revenue, regulatory fines, or the loss of key client contracts.

Here is a sample board briefing script you can use to explain the importance of A.5.4 to a busy CEO:

The Elevator Pitch to the CEO: “To win the upcoming enterprise contracts, we need our ISO 27001 certification. The auditors require proof that security is led from the top. I need you to visibly endorse the new security policy and approve the training budget. If the auditor sees that leadership is bypassing security or failing to enforce it, we will receive a Major Non-Conformity, which will delay our certification and potentially cost us the Q3 pipeline. Your signature and visible support are the evidence we need to pass.”

ISO 27001 Annex A 5.4 RACI Matrix

To avoid any ambiguity about who does what, you need a RACI matrix. RACI stands for Responsible, Accountable, Consulted, and Informed. Below is a text based RACI matrix specifically mapped to the requirements of Annex A 5.4 that you can lift and drop directly into your ISMS documentation.

Task / Requirement Responsible (Does the work) Accountable (Stops the buck) Consulted (Provides input) Informed (Needs to know)
Allocating the ISMS Budget and Resources CISO / ISMS Manager CEO / Board of Directors Finance Director IT Department
Enforcing Disciplinary Action for Policy Breaches Human Resources Departmental Line Manager Legal / CISO The Employee
Delivering Security Awareness Training ISMS Manager / HR CISO Department Heads All Staff
Approving Core Information Security Policies ISMS Manager CEO / Board of Directors Legal Counsel All Staff

Contractual Clause Examples (HR and Third-Party)

You cannot enforce what is not legally binding. Annex A 5.4 requires management to ensure security responsibilities are agreed upon in writing. This means your contracts must explicitly reference your security expectations.

Employee Handbook / Contract Clause Example

To satisfy the auditor, your employment contracts or employee handbooks should include language similar to this:

“All employees are required to read, understand, and comply with the organisation’s Information Security Policy and Acceptable Use Policy. Information security is a fundamental condition of your employment. Failure to adhere to these security protocols, including but not limited to the intentional sharing of credentials or mishandling of confidential data, will be subject to the formal disciplinary procedure and may constitute gross misconduct resulting in immediate termination.”

Third-Party Vendor Clause Example (Right to Audit)

For your contractors and suppliers, you need to ensure management has the authority to check their compliance. Insert a Right to Audit clause:

“The Supplier agrees to comply with all applicable information security policies provided by the Client. The Client reserves the right, upon reasonable written notice, to conduct an audit of the Supplier’s information security practices and systems to verify compliance with the obligations set out in this agreement.”

The Cost of Failure: Lead Auditor Case Studies

Scenario A: The Audit Failure (The Rules Do Not Apply to Me)

I was conducting a Stage 2 certification audit for a mid-sized financial technology firm. Their documentation was flawless. However, during the technical observation phase, I discovered that the CEO and the CFO had demanded IT exempt them from the Multi-Factor Authentication (MFA) and VPN requirements because they found them “annoying” while travelling. This is a catastrophic failure of Annex A 5.4. Management cannot mandate that personnel apply security rules while simultaneously exempting themselves. I raised a Major Non-Conformity, and they failed the audit. They had to spend three months remediating their culture before I could issue their certificate.

Scenario B: The Real-World Breach (The Missing Disciplinary Process)

A software company experienced a data breach when a senior developer intentionally emailed source code to his personal email address to work on over the weekend. When the company tried to fire him, their legal counsel stopped them. Why? Because management had never implemented a formal disciplinary process linked to the Acceptable Use Policy, which is a core requirement of A.5.4. The developer claimed he was never told it was a sackable offence. The company had to settle out of court, paying the employee a severance package while simultaneously dealing with a major data incident. A simple policy clause would have saved them thousands of pounds.

Software and Tooling Stack Recommendations

While my ISO 27001 Toolkit will give you all the documentation, policies, and governance frameworks you need to pass the audit, executing these processes at scale across a growing business requires the right tooling. You can manage this on spreadsheets when you have twenty employees, but once you scale, you need automation.

To effectively automate the enforcement of A.5.4, I recommend integrating the following software stacks into your ISMS:

  • Human Resources Information Systems (HRIS): Tools like BambooHR, HiBob, or Workday are essential for automating the onboarding and offboarding workflows. When an employee is marked as a leaver in the HRIS, it should automatically trigger the IT access revocation process.
  • Learning Management Systems (LMS): To prove staff competence and track policy acknowledgements, use an LMS like KnowBe4, Mimecast, or standard Microsoft 365 compliance tracking. This provides the auditor with instant, time-stamped reports of who has completed their training.
  • Identity and Access Management (IAM): You cannot enforce role-based access manually. Implementing Microsoft Entra ID (formerly Azure AD), Okta, or Google Workspace ensures that management controls are technically enforced, restricting access strictly to what is required for an employee’s job description.

The Remote and Hybrid Work Dilemma

When I audit traditional organisations, I look for physical evidence of a security culture. Are managers wearing their ID badges? Are screens locked when people walk away? However, in today’s remote and hybrid working environments, physical observation is largely irrelevant. Management cannot walk the office floor to ensure compliance.

So, how does management prove they are enforcing Annex A 5.4 when staff are sitting in their living rooms or a local coffee shop?

The answer lies in technical enforcement and remote governance. If you operate a remote or hybrid model, an auditor expects management to mandate the following:

  • Mobile Device Management (MDM): Management must provision tools (like Microsoft Intune or Jamf) that force screen timeouts, mandate complex passwords, and encrypt local hard drives. You cannot rely on staff to do this voluntarily.
  • Virtual Town Halls: Leadership must regularly dedicate time in all hands video calls to discuss security updates, recent phishing threats, and policy changes. Keep the meeting recordings and agendas as your audit evidence.
  • Privacy vs. Monitoring: You must strike a balance. Management has a responsibility to monitor compliance, but this must be done transparently and legally. Your Acceptable Use Policy must clearly state what remote monitoring tools are installed on company laptops and what data is being collected.

The “Tone at the Middle” (The Management Bottleneck)

We talk endlessly about the “Tone at the Top”. Getting the CEO to sign the Information Security Policy is the easy part. The real point of failure for Annex A 5.4 is the “Tone at the Middle”.

In my experience, the biggest threat to your ISMS is a high performing Sales Director or a Lead Developer who views security as a roadblock to hitting their quarterly targets. If a middle manager tells their team to bypass a security control in favour of speed, the entire security culture collapses. The auditor will spot this immediately.

To fix this, management responsibilities must have teeth. You must tie security compliance directly to a manager’s performance review and compensation. If a department fails its phishing simulations, or if a line manager fails to offboard a departing employee within the agreed SLA, that must reflect on their annual appraisal. When middle management’s bonus is tied to their team’s security hygiene, compliance ceases to be an IT problem and instantly becomes a business priority.

A 30-Day Implementation Roadmap

You know what needs to be done, but you are likely wondering how to sequence it. Implementing A.5.4 does not have to be a multi-month ordeal. If you use the templates in my ISO 27001 Toolkit, you can operationalise this control in a four week sprint.

  • Week 1: Roles and Governance. Draft the Information Security Roles and Responsibilities document. Map out your RACI matrix. Present these to the Board or executive team and secure their formal sign-off. Keep the meeting minutes.
  • Week 2: HR and Legal Alignment. Work with your HR department. Update all standard employment contracts to include the mandatory security clauses. Formally document your disciplinary process for security breaches. Ensure third-party contracts have a “Right to Audit” clause.
  • Week 3: Policy Rollout. Publish your newly signed Information Security Policy and Acceptable Use Policy. Use your HRIS or compliance platform to distribute the documents. Mandate that every employee signs a digital acknowledgement within five working days.
  • Week 4: Training and Baselining. Launch your first wave of role-based security awareness training. Conduct a baseline phishing simulation across the entire company. Review the results with the management team to identify which departments require immediate remedial support.

The True Cost of Compliance (Budgeting for A.5.4)

Annex A 5.4 explicitly requires management to “provision resources” for the ISMS. But what does that actually mean in pounds and pence? When you are pitching to the board, you need to present realistic numbers. There are hard costs and soft costs associated with this control.

Hard Costs: These are your software licenses and consultancy fees. You will need a Learning Management System (LMS) to track training, which typically costs a few pounds per user, per month. You may need to upgrade your HR software to automate onboarding workflows. And, of course, the cost of an ISO 27001 Toolkit to bypass the massive fees charged by traditional consultants.

Soft Costs: This is the metric most businesses forget to calculate. The true cost of A.5.4 is time. If you have 100 employees, and management mandates a two hour security awareness training programme annually, you are committing 200 billable hours to compliance. You must also budget the time for the ISMS Manager to conduct internal audits, and the time for the executive team to sit in Management Review Meetings. Management must formally acknowledge and accept this time expenditure.

The Security Culture Maturity Model

ISO 27001 requires continuous improvement. When I come back for your surveillance audit in year two, I want to see that your management responsibilities have evolved. To demonstrate this, you can map your progress against a simple Security Culture Maturity Model.

Maturity Level Management Behaviour Auditor Verdict
Level 1: Reactive Security is never discussed until there is a breach. Policies exist in a drawer but are completely ignored. Managers bypass controls whenever it is convenient. Major Non-Conformity. The ISMS is failing and certification will be withheld or revoked.
Level 2: Compliant Management enforces the rules purely because the auditor is coming. Training is a tick-box exercise. Disciplinary processes exist on paper but are rarely used. Pass (with Opportunities for Improvement). You meet the baseline requirements, but the culture is fragile and high risk.
Level 3: Optimised Security is a standing agenda item in weekly operational meetings. Staff proactively report near-misses without fear of reprisal. Management proactively budgets for new security tools. Excellent. This demonstrates total compliance and a robust, mature Information Security Management System.

ISO 27001 Annex A 5.4 FAQ

What is ISO 27001 Annex A 5.4?

ISO 27001 Annex A 5.4 is an organisational control that requires management to ensure all personnel apply information security in accordance with established policies and procedures.

Is a formal disciplinary process mandatory for Annex A 5.4?

Yes, management must establish, communicate, and maintain a formalised disciplinary process to handle employees who violate security policies.

What is the difference between Clause 5 and Annex A 5.4?

While Clause 5 focuses on high-level leadership and the overall ISMS strategy, Annex A 5.4 is an operational control focused on management’s role in enforcing policy adherence among staff.

Who is responsible for Annex A 5.4 compliance?

Responsibility for Annex A 5.4 lies with anyone in a supervisory or leadership role, including the Board of Directors, C-suite, and departmental line managers.

What evidence do auditors look for regarding management responsibilities?

Auditors seek verifiable proof that management is actively enforcing security requirements and that employees understand their obligations.

How can management demonstrate commitment to ISO 27001?

Management demonstrates commitment by integrating security into business processes and ensuring that security objectives are aligned with organisational goals.

Further Reading

Essential Resources for ISO 27001 Annex A 5.4 Implementation
Resource Title Purpose & Target Audience
How to Implement ISO 27001 Annex A 5.4 Management Responsibilities A step-by-step technical guide for establishing management oversight and governance structures.
ISO 27001 Annex A 5.4 Audit Checklist Specific questions and evidence requirements for passing the certification audit.
ISO 27001 Annex A 5.4 for Small Business Simplified governance frameworks tailored for SMEs with limited resources.
ISO 27001 Annex A 5.4 for Tech Startups Agile implementation strategies for high-growth technical environments.
ISO 27001 Annex A 5.4 for AI Companies Specialised guidance on algorithmic oversight and data governance responsibilities.
ISO 27001 Competency Matrix Beginner’s Guide Instructions on mapping skills and tracking training compliance for the ISMS.

ISO 27001 Annex A 5.4 Mapped to other Standards and Laws

Regulatory Mapping: ISO 27001 Annex A 5.4 vs. Global Standards
Framework / Regulation Relevant Control or Section Mapping to Management Responsibilities (Annex A 5.4)
NIST SP 800-53 (Rev 5) PL-4 (Rules of Behavior) PM-10 (Security Authorization Process) Direct equivalence. NIST PL-4 requires management to establish and sign rules of behaviour, mirroring the A.5.4 requirement for personnel to apply security in accordance with established policy.
EU NIS 2 Directive Article 20 (Governance) Article 21 (Risk Management Measures) NIS 2 Article 20 mandates that “management bodies” approve and oversee cybersecurity measures. Annex A 5.4 provides the operational evidence (staff adherence) required to satisfy this governance obligation.
EU DORA Article 5 (Governance and Organisation) DORA explicitly places “ultimate responsibility” on the management body. Implementing A.5.4 ensures that the roles and strategies defined by the Board under Article 5 are actually executed by staff.
UK Cyber Security & Resilience Bill Senior Management Liability (Pending Legislation) Expected to mirror NIS 2, this Bill introduces personal liability for senior managers. A.5.4 compliance is the primary defence mechanism, demonstrating that management actively enforced security policies rather than just documenting them.
SOC 2 (AICPA) CC1.3 (COSO Principle 3) CC5.3 (Risk Mitigation) SOC 2 requires management to establish “tone at the top”. Auditors test A.5.4 by verifying if management holds individuals accountable for internal control responsibilities.
CIRCIA (USA) Reporting Governance (CISA Reporting Requirements) Mandates 72-hour reporting for critical infrastructure. A.5.4 is essential here: management must ensure staff are trained and obligated to report incidents immediately to meet this federal deadline.
EU Product Liability Directive (PLD) Strict Liability for Software (Defectiveness) The PLD extends strict liability to software defects, including security flaws. Management responsibilities (A.5.4) now extend to ensuring developers follow “Security by Design” principles to prevent liability claims.
UK Data (Use and Access) Act 2025 Accountability Principle (Amended UK GDPR) While reducing some administrative burdens (e.g., simplified ROPA), the Act maintains strict accountability. A.5.4 ensures that staff understand and apply the new “Recognised Legitimate Interests” for data processing correctly.
EU AI Act Article 4 (AI Literacy) Article 9 (Risk Management) Management must ensure personnel are competent in using AI systems (Article 4). A.5.4 enforces the usage policies required to prevent “High-Risk” AI systems from drifting into non-compliance.
HIPAA (USA) § 164.308(a)(1) (Security Management Process) Requires covered entities to implement policies and procedures. A.5.4 is the “Administrative Safeguard” that ensures the workforce actually complies with these HIPAA sanctions policies.
ECCF Cyber Resilience Act (CRA) Links For EU-wide certification, management must affirm that processes are followed. A.5.4 provides the internal audit trail required to achieve “Substantial” or “High” assurance levels under the framework.

ISO 27001 Controls and Attribute Values

Control typeInformation security propertiesCybersecurity conceptsOperational capabilitiesSecurity domains
PreventiveConfidentialityIdentifyGovernanceGovernance and Ecosystem
Integrity
Availability

ISO 27001 Controls and Attribute Values

Control typeInformation
security properties		Cybersecurity
concepts		Operational
capabilities		Security domains
PreventiveConfidentialityIdentifyGovernanceGovernance and Ecosystem
Integrity
Availability
, , , , , ,

About the author

Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top