Annex A 5.4 verified ISO/IEC 27001:2022
Management responsibilities for information security
Managers must ensure everyone follows and supports the organisation's security policies.
record_voice_over
Plain language
This control is all about making sure that everyone in the organisation knows and follows the rules for keeping information safe. It's essential because if people don't understand their responsibilities, sensitive information could be mishandled, leading to data breaches or other security incidents.
01 — Overview
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Organisational controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Management shall require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization.
verified ISO/IEC 27001:2022 Annex A 5.4
priority_high
Why it matters
If managers don’t enforce information security policies and procedures, staff may bypass required controls, increasing the likelihood of incidents and data breaches.
settings
Operational notes
Require managers to include policy compliance in onboarding, 1:1s and performance goals, and track adherence to information security and topic-specific procedures.
02 — Implement
build
Implementation tips
- The CEO or top management should clearly communicate the importance of information security to all staff. This involves having a clear and easy-to-understand information security policy that is shared with everyone.
- The HR department should ensure that information security responsibilities are included in job descriptions and employee contracts. This means clearly outlining security duties so everyone knows what's expected when they start.
- Managers should provide regular training sessions to keep staff informed about security policies. Organise workshops or online courses, and make sure they're relevant to each person's role.
- The IT team should ensure that all employees are equipped with necessary resources, like security software and tools, for maintaining information security. This includes making sure everyone understands how to use them correctly.
- Create and promote a confidential reporting process for staff to voice security concerns or report breaches. Encourage an open environment where reporting is seen as a positive action that helps the organisation improve security.
03 — Audit
fact_check
Audit / evidence tips
-
Askto see the organisation's information security policy
-
Askexamples of job descriptions or employment contracts. Check for mentions of security responsibilities. Good indicates these documents clearly outline security expectations
-
Aska list of tools and resources provided to staff for security purposes
04 — Mappings
link
Cross-framework mappings
How Annex A 5.4 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| ISM-0348 | ISM-0348 requires organisations to develop, implement, and maintain media sanitisation processes and procedures | |
| ISM-0820 | ISM-0820 sets a specific personnel behaviour expectation: do not post work information to unauthorised online services and report if it h... | |
| ISM-1998 | Annex A 5.4 requires management to require all personnel to apply information security in accordance with established policies and proced... | |
| sync_alt Partially overlaps (5) expand_less | ||
| ISM-0264 | Annex A 5.4 requires managers to ensure personnel apply information security according to established policies and procedures | |
| ISM-1078 | Annex A 5.4 requires management to ensure personnel comply with the organisation’s information security policies and procedures | |
| ISM-1478 | Annex A 5.4 requires management to require personnel to apply information security in line with organisational policies and procedures | |
| ISM-1549 | Annex A 5.4 requires management to require personnel to apply information security consistent with established policies and procedures | |
| ISM-1602 | Annex A 5.4 requires management to ensure all personnel apply information security consistent with the organisation’s policies and proced... | |
| handshake Supports (25) expand_less | ||
| ISM-0009 | ISM-0009 requires system owners and authorising officers to identify supplementary controls based on system-specific risks, operating env... | |
| ISM-0039 | Annex A 5.4 requires management to direct all personnel to apply information security in accordance with the organisation’s established p... | |
| ISM-0047 | Annex A 5.4 requires management to ensure personnel apply information security consistent with established policies and procedures | |
| ISM-0408 | ISM-0408 requires a security reminder banner at logon to prompt users about their responsibilities when accessing systems | |
| ISM-0499 | ISM-0499 requires personnel managing and operating HACE to comply with ASD communications security doctrine and policy | |
| ISM-0576 | ISM-0576 requires the organisation to have an implemented and maintained incident management policy and incident response plan that perso... | |
| ISM-0588 | ISM-0588 requires an organisation to have an MFD usage policy in place to direct secure and appropriate use of multifunction devices | |
| ISM-0714 | Annex A 5.4 requires management to make sure personnel follow established information security policies, topic-specific policies and proc... | |
| ISM-0718 | Annex A 5.4 requires management to require all personnel to comply with established information security policies and procedures | |
| ISM-0720 | Annex A 5.4 requires management to ensure personnel apply information security in line with established policies and procedures | |
| ISM-0724 | ISM-0724 requires the CISO to implement cyber security measurement metrics and KPIs to track performance | |
| ISM-0725 | Annex A 5.4 requires management to ensure personnel apply information security in line with organisational policies and procedures | |
| ISM-0726 | ISM-0726 requires the CISO to coordinate security risk management activities between cyber security and business teams | |
| ISM-0824 | ISM-0824 sets an expected behaviour: personnel should avoid unauthorised online file services for sending or receiving files | |
| ISM-1359 | ISM-1359 requires an organisation to establish and maintain a removable media usage policy so personnel know how removable media can be u... | |
| ISM-1510 | ISM-1510 requires an organisation to develop, implement and maintain a digital preservation policy so preservation expectations are defin... | |
| ISM-1533 | ISM-1533 requires the organisation to develop, implement and maintain an MDM policy for mobile devices | |
| ISM-1551 | ISM-1551 requires an organisation to develop, implement and maintain an IT equipment management policy to govern how equipment is managed... | |
| ISM-1864 | ISM-1864 requires the organisation to establish and maintain a system usage policy | |
| ISM-1865 | ISM-1865 requires personnel to agree to follow system usage policies before being granted access | |
| ISM-1884 | ISM-1884 requires the organisation to comply with ASD emanation security (EMSEC) doctrine to prevent information leakage via electromagne... | |
| ISM-1999 | ISM-1999 requires executive leadership to align cyber security strategy to business strategy | |
| ISM-2001 | ISM-2001 requires the board or executive committee to champion a positive cyber security culture through visible leadership and example | |
| ISM-2004 | ISM-2004 requires board/executive support for developing cyber security skills and experience via awareness and training opportunities | |
| ISM-2036 | ISM-2036 requires that security responsibilities for software developers are identified and documented | |
| extension Depends on (1) expand_less | ||
| ISM-2074 | ISM-2074 requires an organisation to have a documented and maintained policy governing general-purpose AI usage | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.