---

The Purpose of Management Responsibilities Under Control 5.4

ISO 27001 makes it ultra-clear that it requires senior management involvement in the ISMS. And, as I’ve summarised in control 5.2 around roles & responsibilities, you must clearly identify and assign them.

So, the primary goal of defining management responsibilities per the intent of control 5.4 is to:

• Ensure that managers understand the importance of their role in promoting information security.
• Drive actions that make personnel aware of and accountable for their information security responsibilities.

The control requires senior sponsorship of policies and procedures throughout the organisation, and that they are communicated and enforced to staff and stakeholders.

---

Key Management Activities

To effectively meet ISO 27001 control 5.4, the management should consider the following activities that they could do to help with communications around policies and procedures;

Provide Comprehensive Briefings

Management can use forums such as ‘All-hands meetings’ or team meetings to ensure staff are briefed on their information security roles and responsibilities. This is only really any good for a point in time, though. For example, when you launch a new policy or procedure and want someone at the top of the tree to sponsor it and let staff know it exists. It’s not great as an ongoing process for new starters, who may benefit from a recorded video briefing from the exec, or something in a handbook to ensure there’s an explanation before being granted access to organisational assets.

I do recommend having an overarching senior management statement from the CEO that addresses the overall importance of security to the organisation and, of course, the personal and business impact of not following documented guidance. It’s great for audits when they ask about this area.

Establish Clear Guidelines

The management team should strive to ensure that staff are provided with guidelines that outline the specific information security expectations for each role within the organisation. These guidelines should be tailored to align with the organisation’s policies and security objectives.

There’s an old saying, ‘if it’s not written down, it hasn’t been said’, and I believe that to be true, so it’s important that any expectations are clearly documented, and ideally signed off as reviewed by the individual.

Enforce Policy Compliance

The leadership team need to mandate compliance with the organisation’s information security policy, topic-specific policies, and procedures. Management must set an example by adhering to these policies themselves. I’ve witnessed clear policies over the years being ignored or treated as an inconvenience by senior management, who then go on to circumvent them. It takes strong leadership and robust governance to stand up to a manager who does this, but ultimately, policies exist for a reason.

I’ve written a bit more about this scenario below. While I don’t witness it directly during internal audits, it comes up consistently with clients as a top frustration for IT leads and CISOs

Promote Security Awareness

Management must ensure personnel achieve a level of information security awareness per the requirements of Clause 7.2 of ISO 27001, which is relevant to their roles and responsibilities. This can be supported through regular training sessions and awareness campaigns.

If you can provide evidence to an auditor that the management team has supported an awareness campaign, with key messaging or endorsement, then it’s more evidence to support your case that the control has been met.

Support Ongoing Education

The awareness section above addresses people’s roles in the ISMS, but senior management should facilitate the continuous professional education of personnel to maintain and enhance their information security skills and qualifications.

Maintaining evidence of approval of training plans and that managers are reviewing training needs through the optics of security is also solid evidence of involvement.

Enable Whistleblowing Channels

In some organisations that are really serious about security and other aspects such as anti-bribery and corruption, they may have policies for whistleblowing for employees who encounter behaviours contrary to company policy and who feel they need to escalate them for serious attention.

Allocate Adequate Resources

Finally, senior management can demonstrate their involvement with the ISMS by reviewing and approving resource requests (funding, personnel, timing, tools, etc) to implement security-related processes and controls effectively. This demonstrates management’s commitment to prioritising security within organisational projects.

So I often suggest that the InfoSec manager present their resource plan for the next 6 to 12 months to the CEO for sign-off and approval. This is great evidence.

---

Evidence Auditors Will Look For

ISO 27001 Control 5.4 is a control that auditors test largely through interviews and document review rather than technical evidence. They want to see that management is genuinely engaged with the ISMS, not just signing things off when asked.

So an ISO 27001 auditor could ask for:

• A senior management statement on information security, signed and dated by the CEO, MD, or equivalent. This is one of the easiest pieces of evidence to produce and one of the most visible signals that management is involved. There’s one in my toolkit.
• Signed Information Security Policy and topic-specific policies, with evidence they have been formally approved by management (signature, version control, dated approval record)
• Training plans approved by management, with evidence of review against current security needs and threats
• Resource approval records, such as InfoSec budget sign-offs, headcount approvals, or tooling purchase decisions, ideally tied to a security-specific request. Again, I have simple versions of these in the toolkit.
• Management review minutes that explicitly cover ISMS topics, not just listed as an agenda item but with substantive discussion captured
• Evidence that management themselves follow the policies. Auditors could check whether the MD has acknowledged the Acceptable Use Policy or similar, completed security awareness training, and acknowledged any topic-specific policies that apply to them.
• Communications evidence, such as briefing materials (presentations), notes from all-hands meetings or induction packs, showing that staff are made aware of their information security responsibilities before being granted access to systems

Auditors could also test this verbally with senior management directly.

It’s not impossible for questions to include things like, “What’s the biggest information security risk to this business right now?”, “When did you last review the InfoSec budget?”, and “Can you tell me what’s in the Information Security Policy?”. If the MD or CEO can answer these confidently, your 5.4 is working. If they look at the InfoSec Manager for help, you might have a problem.

---

Common Issues I Find During Internal Audits

Control 5.4 is tricky because it relies on management actually doing the things rather than just delegating them. Here’s what I commonly see:

• No senior management statement/endorsement of the Info Sec Policy. The information security policy is signed off, but there’s no visible top-down statement from the CEO or MD that says “this matters, and I expect you to follow it”. Easiest fix on the page: get a one-paragraph statement signed and published on the intranet or in the ISMS handbook.

• Management who don’t follow their own policies. It’s common in an immature, smaller organisation that the MD has insisted upon admin rights they don’t need, hasn’t done the security awareness training they mandated for everyone else, and uses their personal device for company email despite the BYOD policy saying otherwise. I understand it, they probably started the business themselves in many cases and want to retain that control, but eventually they have to give it up as the business scales and the reasoning no longer holds true.

• No evidence of resource approval for security. Management have approved the policies but there’s no record of them approving InfoSec budget, tooling, or headcount. Without that, “support and provide resources” is just words. Keep a simple log of security-related decisions made in management meetings: it doesn’t have to be elaborate, just dated and traceable. You need to provide sufficient resources to enable the main Clauses of ISO 27001, so having sign-off (even by an email approval) from senior management for your resource plan can help.

• No documented review of training needs. The training is generic, off-the-shelf, and hasn’t been reviewed against the actual risks the business faces. Management should be reviewing whether the awareness programme is appropriate for the threats and roles within the organisation, not just rubber-stamping it annually.

---

How Control 5.4 Connects to HR Processes

You’ll probably need some HR assistance for Control 5.4 , and most of the practical evidence for it lives in HR processes rather than security ones.

There are three points in the employee lifecycle where this matters most:

If you have a clean onboarding checklist, security clauses in contracts, and a documented offboarding process, you’ve covered most of what 5.4 expects from the HR side.

---

What if Senior Management Is the Problem?

I mentioned earlier that rogue managers ignore or actively circumvent policies and procedures, and felt it was worth a little exploration, as I have had to coach a few of my clients through exactly this situation.

Three practical things might help:

• Document concerns in writing – A polite, evidence-based note to the senior leader creates the paper trail that protects you and signals the issue isn’t going away. If you casually mention it over a coffee, then verbal complaints disappear; written ones don’t. It’s difficult, I appreciate it because whatever you do, it potentially puts you in a position of confrontation, but if they accept the risk, then you have that documented, and if something does go wrong, then you’ve done what you can.
  
• Use the audit process – Internal / External audits are designed to surface these issues without making it personal. If management non-compliance shows up in an internal audit report that goes to the management review, it becomes an organisational issue rather than your individual concern. I’d be slightly naughty here and make sure the auditor finds it with a gentle nudge or even a discussion behind closed doors, and I’m sure they’ll help surface it without animosity or confrontation.
  
• Escalate if it’s serious – If you feel that there is a serious risk to data owned by others, then you have a responsibility to act. The path might be determined by internal escalation procedures, or in a worst case by escalation to a regulatory body. I appreciate the difficulty of this and that it is easier said than done, but ultimately, would you allow someone to cut corners with your bank account details? No, so don’t allow a similar situation to come about for others.

The honest reality is that 5.4 only works if there’s genuine top-down commitment. If there isn’t, certification will become harder over time rather than easier, and at some point, the conversation needs to happen at the board level. ISO 27001 is partly a forcing function for this; use it.

---

How does ISO 27001 Control 5.4 link to other clauses and controls?

Control 5.4 is one of the most cross-referenced controls in the standard because it sits at the intersection of leadership, HR, and awareness. Understanding the relationships matters because evidence for 5.4 often lives in documentation owned by other controls.

• Clause 5.1 – Leadership and Commitment: The parent management system clause that 5.4 operationalises. Clause 5.1 says management must be committed to the ISMS; 5.4 says they must enforce it.

• Clause 7.2 & 7.3 – Competence & Awareness 5.4 explicitly requires management to ensure personnel are competent for their information security responsibilities. The competence evidence sits under 7.2. Clause 7.3 is the management system requirement that drives this; 5.4 is the leadership accountability for it.

• Annex A 5.2 – Roles and Responsibilities: 5.4 is how management ensures the responsibilities allocated under 5.2 are actually fulfilled. Without 5.4, 5.2 is just a document.

• Annex A 6.2 – Terms and conditions of employment: Information security responsibilities should be written into employment contracts and contractor agreements. 5.4 is where management enforces that this happens.

• Annex A 6.3 – Information security awareness, education and training: The operational delivery of the awareness programme that 5.4 requires management to support and ensure compliance with.

• Annex A 6.4 – Disciplinary process: The consequence side of 5.4. If management is responsible for enforcing compliance, there must be a documented process for handling non-compliance.

---

FAQs

Conclusion

Management responsibilities are integral to the success of any information security programme. By taking proactive measures to educate, guide, and support personnel, managers can strengthen the organisation’s overall security posture.

Visible leadership and adequate resource allocation create an environment where information security is prioritised and seamlessly integrated into daily operations. The reverse is also true: where leadership treats security as someone else’s problem, the ISMS struggles to compete for attention with everything else demanding it.

If you’d like a senior management statement template and the supporting documents that make 5.4 evidence easy to produce, the Iseo Blue ISO 27001 Toolkit includes both. Or, if you’d rather talk through how to get senior management properly engaged in your ISMS, the free 30-minute consultation is genuinely free and 30 minutes long.

---