A.5.4 — Management Responsibilities

A CISO presents the annual security report. The CEO nods, signs the minutes and leaves the room. Nothing changes in how the organisation operates. Six months later, an audit reveals that half the workforce has never completed security awareness training. A.5.4 exists to close this gap between stated commitment and observable action.

Management responsibilities go beyond policy approval. Managers at every level must actively ensure that their teams understand, accept and follow information security requirements — and they must demonstrate this through measurable activities.

What does the standard require?

Require compliance from all personnel. Management must ensure that all employees and, where relevant, contractors apply information security in accordance with the organisation’s established policies and procedures.
Ensure awareness and competence. Before granting access to information assets, management must ensure that personnel understand their security responsibilities and are adequately trained.
Provide a reporting channel. A confidential mechanism must exist for personnel to report information security policy violations or concerns without fear of reprisal.
Lead by example. Managers must visibly demonstrate their own commitment to information security. An organisation where management ignores its own rules will struggle to achieve compliance from anyone else.
Allocate resources. Management must ensure that sufficient time, budget and personnel are available for information security activities.

In practice

Brief managers before they brief their teams. Run dedicated management awareness sessions that cover the organisation’s security objectives, the managers’ specific responsibilities and the evidence they need to produce. Managers cannot cascade what they do not understand themselves.

Integrate security into onboarding. Ensure that every new employee receives security awareness training before accessing systems. Make line managers responsible for confirming that onboarding was completed — not just HR.

Establish a confidential reporting channel. Whether it is an anonymous web form, a dedicated email address or a physical suggestion box, employees must know that reporting a security concern will not lead to negative consequences. Publicise the channel regularly.

Document management reviews. Record attendance, decisions and action items from management review meetings. This documentation serves as both steering instrument and audit evidence. Follow up on open action items in the next meeting.

Typical audit evidence

Auditors typically expect the following evidence for A.5.4:

Management awareness records — evidence that managers themselves received security briefings
Awareness training completion reports — showing participation rates per department, approved by the responsible manager
Management review minutes — documenting security topics discussed and decisions taken
Confidential reporting mechanism — documentation of the channel and evidence that it is communicated to all personnel
Resource allocation records — budget approvals and staffing decisions related to information security

KPI

% of managers who have formally acknowledged their information security responsibilities

This KPI tracks whether management commitment is documented at the individual level. Target: 100%. A formal acknowledgement typically takes the form of a signed responsibility statement or a recorded acceptance in the awareness training system.

Supplementary KPIs:

Awareness training completion rate across all departments (target: above 95%)
Number of security items on management meeting agendas per quarter
Time between policy violation report and management response

BSI IT-Grundschutz

A.5.4 maps to the following BSI requirements:

ISMS.1.A1 (Assumption of overall responsibility) — top management must acknowledge information security as a strategic priority and commit resources.
ISMS.1.A8 (Integration into organisational processes) — information security must be embedded in business processes, with management actively driving adoption.
ORP.3.A1 (Awareness and training programme) — all employees must participate in security awareness activities, initiated and monitored by management.
ORP.2.A14 (Commitment of external staff) — external personnel must be bound by the same security requirements as internal employees.

A.5.4 bridges leadership commitment and operational execution:

A.5.2 — Roles and responsibilities: A.5.4 ensures that managers actively fulfil the responsibilities assigned under A.5.2.
A.5.3 — Segregation of duties: Management must provide the resources and authority to enforce segregation.
A.5.5 — Contact with authorities: Management must know escalation paths and ensure they are documented.
A.5.6 — Contact with special interest groups: Management sponsors participation in external security communities.

Sources

ISO/IEC 27001:2022 Annex A, Control A.5.4 — Management responsibilities
ISO/IEC 27002:2022 Section 5.4 — Implementation guidance
BSI IT-Grundschutz, ISMS.1 — Security management

Frequently asked questions

What exactly must management do under A.5.4?

Management must require all personnel to apply information security in accordance with the organisation's policies, ensure they receive appropriate awareness training, provide a confidential reporting channel for policy violations, and lead by example. The emphasis is on active involvement -- signing off on a policy document alone is insufficient.

Does A.5.4 apply only to top management?

The control applies to all levels of management. Top management sets the tone and provides resources, but line managers and department heads are the ones who translate policy into day-to-day behaviour within their teams.

How do auditors assess management commitment?

Auditors look for concrete evidence: documented awareness activities sponsored by management, resource allocation for security, management review meeting minutes, and records showing that managers addressed non-compliance when it occurred.

Responsible	HR Manager
Accountable	Information Security Officer / (C)ISO
Consulted	Department Head, HR Manager, IT Security Officer, Information Security Officer / (C)ISO, Legal Counsel
Informed	All Employees, Department Head, IT Security Officer, Project Manager, Top Management