The basics
ISO 27001 control A.5.4 Management responsibilities require companies’ top management to make sure relevant people comply with information security policies and procedures. This is important because, without top management involvement, other people will consider security rules irrelevant.
Documentation
ISO 27001 control A.5.4 Management responsibilities can be documented by writing an Awareness and Training Plan to provide evidence of management commitment by requiring all relevant personnel to apply information security according defined documentation.
It is not mandatory to document this control, but is recommended for all companies.
Implementation
In order to comply with control A.5.4 Management responsibilities you might implement the following:
- Technology — the technology to enable management to demonstrate commitment to information security may include software to share information policies and procedures (e.g., corporate portals, and document management systems), and to provide training and awareness on how to comply with them (e.g., learning platforms).
- Organization/processes — you should set up a process for defining how to communicate policies and procedures, what should be communicated, which training is required, and who needs to be trained. You can document those processes through an Awareness and Training Plan.
- People — make managers aware of why management commitment is needed, and train them on how to identify what needs to be communicated, and to whom.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.5.4 Management responsibilities: if top management is committed to ensuring company personnel comply with information security policies and procedures.
