Control 5.4 : Management Responsibilities

Summary

This control requires management to ensure that all personnel apply information security in accordance with the established policies and procedures. It emphasizes that security culture starts with leadership and must be reinforced through formal expectations.

Applicability

In-Scope: Mandatory for all organizations. It ensures that security is seen as a business requirement rather than an IT-only task. It is critical for proving management commitment during the ISO certification process.

Out-of-Scope: Never out-of-scope. Leadership must always demonstrate support for the ISMS.

Implementation Guidance

Microsoft 365 / Entra ID

Governance Portal: Use a SharePoint-based Governance Portal where management provides regular updates or Town Hall recordings regarding security expectations.
Awareness Tracking: Use Microsoft Viva Learning to assign and track mandatory security leadership briefings for all managers.
Performance Metrics: Integrate security compliance (e.g., completing training) into Microsoft Teams performance tracking or HR appraisal integrations.

Evidence Checklist

Management Communiques: Emails or newsletters from leadership discussing the importance of security.
Meeting Minutes: Records of Management Review Meetings where ISMS performance and security goals were discussed.
Policy Endorsement: Formal evidence that leadership has reviewed and approved the latest security strategy.

Practical Audit Advice

Here are some questions the auditor might ask:

How does management demonstrate their commitment to information security to the wider workforce on a regular basis?
What actions does management take when a department or individual consistently fails to meet security policy requirements?
Can you show evidence that security objectives are integrated into the organization's overall business planning?
How does leadership ensure that the security team has the necessary resources (budget and personnel) to maintain the ISMS?