When management treats information security as someone else’s problem, policies collect dust and personnel make up their own rules. The result is predictable: inconsistent practices, undetected violations, and audit findings that trace back to a leadership vacuum. ISO 27001 control 5.4 exists to close that gap — by making management directly accountable for ensuring everyone actually follows the security program.
What 5.4 Requires
ISO 27001 Annex A 5.4 requires management to actively direct and compel all personnel to apply information security in accordance with the organization’s established policies and procedures. This is not a suggestion to “support security” in vague terms. Management must communicate specific expectations, provide the resources to meet them, and hold people accountable when they fall short.
In practical terms, that means every person working under the organization’s control — employees, contractors, temporary staff — must understand their individual security responsibilities before they touch a system or handle data. Management cannot delegate this to a policy document sitting on a SharePoint site. They must ensure personnel are briefed, trained, and aware that compliance is a condition of employment, not a recommendation.
The control exists because organizations routinely write comprehensive security policies and then fail to operationalize them. A policy without management enforcement is shelf-ware. Control 5.4 forces the question: does your leadership team actively drive security behavior, or do they just sign off on documents once a year?
Why 5.4 Matters
Organizations that fail to implement this control often discover the gap during an incident, not an audit. In a common pattern, a company maintains a detailed information security policy — access controls, data handling procedures, acceptable use rules — but management never communicates those requirements to personnel in any meaningful way. Employees bypass procedures because no one told them the procedures mattered. A staff member copies sensitive client data to a personal device for convenience. No one notices because no one was looking. The exposure surfaces months later during a client audit or, worse, a regulatory investigation.
This is a governance failure, not a technical one. The risk class is organizational: when management does not enforce security responsibilities, the entire control environment weakens. The severity compounds over time because each unchecked violation normalizes non-compliance. Staff observe that colleagues bypass procedures without repercussions and adjust their own behavior accordingly. Within months, the gap between documented policy and actual practice becomes so wide that the security program exists only on paper.
The downstream consequences extend beyond operational risk. Certification auditors will probe whether management has taken concrete steps to communicate and enforce security requirements. An auditor who interviews floor-level staff and finds they cannot describe their security responsibilities — or even name the policies that apply to their role — will raise a nonconformity. That nonconformity traces directly to management’s failure to fulfill the obligations in 5.4. For organizations pursuing or maintaining ISO 27001 certification, this control is not peripheral; it is foundational to demonstrating that the ISMS is more than a documentation exercise.
What attackers exploit
- Uninformed personnel: Staff who never received role-specific security training are significantly more susceptible to social engineering, phishing, and pretexting attacks. Human factors in cybersecurity remain the most exploited attack surface. Ponemon Institute found that negligent insiders account for 55% of insider threat incidents — the single largest category.
- Unenforced data handling procedures: When management doesn’t monitor compliance with data classification and handling rules, sensitive information migrates to unsanctioned locations — personal email, cloud storage, USB drives.
- Credential sharing and weak authentication habits: If leadership doesn’t model and enforce secure credential practices, shared passwords and default accounts proliferate.
- Missing contractual obligations for contractors: Third-party personnel operating without formal security obligations in their agreements create blind spots in the control environment.
- No disciplinary process for violations: Without consequences, policy violations become routine. Personnel learn that security rules are aspirational, not enforced.
How to Implement 5.4
For your organization (first-party)
Start with a formal management commitment. Your security governance charter or ISMS scope statement should explicitly assign management the responsibility to communicate, resource, and enforce information security policies. This cannot live only in the CISO’s domain — department heads, line managers, and project leads all carry enforcement responsibility under 5.4. Document this commitment in writing and present it during management review meetings so there is no ambiguity about who owns what.
Define what “management responsibility” means in concrete terms for each level of your organization. A department head’s security responsibilities differ from a project lead’s. The CISO sets strategy and monitors the program; line managers ensure their direct reports complete training, follow data handling procedures, and report incidents. Without this role-specific clarity, management responsibility becomes diffuse — everyone assumes someone else is handling it.
Build security responsibilities into the employee lifecycle from day one. Include specific information security obligations in job descriptions and employment contracts. Use an ISO 27001 implementation checklist to ensure nothing is missed. During onboarding, brief new personnel on the policies that apply to their role — not a generic overview, but the specific procedures they need to follow. Use role-based security awareness training delivered through a learning management system to ensure coverage and track completion.
Implement a policy acknowledgement process. Every employee and contractor should formally acknowledge they have read, understood, and agree to comply with the organization’s information security policies. Track these acknowledgements centrally — GRC platforms or policy management tools can automate distribution and capture signatures with timestamps.
Conduct periodic management reviews. At minimum quarterly, management should review the security posture: training completion rates, policy violations, incident trends, and audit findings. These reviews create the evidence trail auditors expect and force leadership to stay engaged with the security program’s operational health. Structure these reviews with a standing agenda that covers metrics against targets, open action items from previous reviews, and emerging risks. Assign owners and deadlines for every action item — management reviews that end without clear follow-up are compliance theater.
Integrate security KPIs into performance reviews for roles with significant security responsibilities. This embeds accountability into the management structure rather than treating security as a separate concern.
Establish a mechanism for personnel to report security concerns or policy violations without fear of retaliation. Whether you call it a whistleblowing process or an anonymous reporting channel, it must exist and staff must know about it. Promote the channel during onboarding and in periodic security communications. Track the volume and nature of reports as a health metric — an organization with zero reports is not necessarily secure; it may simply have a reporting culture problem.
Document every element of your implementation. Auditors will not take your word for it — they need artifacts. For each step above, ensure you are generating records that demonstrate management is actively directing and enforcing security behavior, not passively approving policies. The evidence table below outlines exactly what auditors expect to see.
Common mistakes:
- Treating policy acknowledgement as a one-time onboarding checkbox and never refreshing it
- Delegating all security responsibility to IT or the CISO without engaging line management
- Failing to include contractors, consultants, and temporary staff in training and acknowledgement processes
- Having no documented disciplinary process for security policy violations
- Running annual security awareness training with no reinforcement or measurement throughout the year
For your vendors (third-party assessment)
When assessing vendor compliance with management responsibilities for information security, ask these questions in your vendor security assessment questionnaire:
- How does your management communicate information security responsibilities to all personnel?
- What training program exists for security awareness, and how frequently is it delivered?
- Do employment contracts and third-party agreements include information security obligations?
- How does your organization track policy acknowledgement across all personnel?
Request evidence: security awareness training completion reports, samples of employment contracts showing security clauses, management review meeting minutes, and the policy acknowledgement tracking system.
Red flags in vendor responses:
- “Security is handled by our IT team” with no evidence of management involvement — a common vendor risk management red flag
- No formal security awareness training program or only ad-hoc training
- Inability to produce signed policy acknowledgements for current personnel
- No management review cadence for information security
To verify beyond self-attestation, request a sample training completion report with dates and completion rates. Ask for the most recent management review minutes covering security topics. If the vendor holds ISO 27001 certification, request the certificate and confirm the scope covers the services they provide to you. For a structured approach to third-party risk requirements under ISO 27001, map each vendor’s controls to the standard’s expectations.
Audit Evidence for 5.4
An ISO 27001 auditor assessing control 5.4 will look for concrete proof that management does more than sign policies — they actively drive compliance. The following table lists the evidence categories auditors typically request, along with the specific artifacts that satisfy each one. If you cannot produce these documents with current data and timestamps, that gap will likely surface as a nonconformity.
| Evidence Type | Example Artifact |
|---|---|
| Policy documentation | Information Security Policy stating management’s commitment to enforce personnel compliance with security requirements |
| Employment contracts | Template employment contract with clauses specifying information security responsibilities and consequences for non-compliance |
| Training records | Security awareness training completion report showing personnel names, dates, and pass/fail status from the LMS |
| Policy acknowledgements | Signed policy acknowledgement log with timestamps for each employee and contractor |
| Management review minutes | Quarterly ISMS management review meeting minutes documenting security posture, training metrics, and action items |
| Disciplinary procedure | Documented disciplinary process for information security policy violations, including escalation steps |
| Onboarding checklist | New joiner onboarding checklist confirming security briefing, policy acknowledgement, and training enrollment |
The strongest evidence packages tie these artifacts together into a narrative. For example, management review minutes should reference training completion rates from the LMS and note action items for departments that fell below target. Policy acknowledgement logs should show recent dates — not just onboarding signatures from three years ago. Auditors look for evidence of a living system, not a static archive.
Cross-Framework Mapping
| Framework | Equivalent Control(s) | Coverage |
|---|---|---|
| NIST 800-53 | AC-01 | Full |
| NIST 800-53 | AT-01 | Full |
| NIST 800-53 | AU-01 | Full |
| NIST 800-53 | CA-01 | Full |
| NIST 800-53 | CM-01 | Full |
| NIST 800-53 | CP-01 | Full |
| NIST 800-53 | IA-01 | Full |
| NIST 800-53 | IR-01 | Full |
| NIST 800-53 | MA-01 | Full |
| NIST 800-53 | MP-01 | Full |
| NIST 800-53 | PE-01 | Full |
| NIST 800-53 | PL-01 | Full |
| NIST 800-53 | PL-04 | Full |
| NIST 800-53 | PM-01 | Full |
| NIST 800-53 | PS-01 | Full |
| NIST 800-53 | PS-06 | Full |
| NIST 800-53 | PS-07 | Full |
| NIST 800-53 | RA-01 | Full |
| NIST 800-53 | SA-01 | Full |
| NIST 800-53 | SA-09 | Full |
| NIST 800-53 | SC-01 | Full |
| NIST 800-53 | SI-01 | Full |
| NIST 800-53 | SR-01 | Full |
| SOC 2 | CC1.4 (Board oversight), CC1.5 (Accountability) | Partial |
| CIS Controls v8.1 | Control 14 (Security Awareness and Skills Training) | Partial |
| NIST CSF 2.0 | GV.RR (Roles, Responsibilities, and Authorities) | Full |
| DORA (EU) | Article 5 (ICT risk management framework governance) | Partial |
The breadth of NIST 800-53 mappings reflects that management responsibilities for information security cut across every control family. Each “-01” control in NIST 800-53 requires organizations to develop, document, and disseminate policies — the same foundational governance activity that 5.4 mandates from the ISO 27001 side. PS-06 and PS-07 address access agreements and third-party personnel security, directly paralleling 5.4’s requirement to ensure all personnel, including external parties, comply with security policies.
Related ISO 27001 Controls
| Control ID | Control Name | Relationship |
|---|---|---|
| 5.1 | Policies for information security | Establishes the policies that 5.4 requires management to enforce |
| 5.2 | Information security roles and responsibilities | Defines the roles and responsibilities that 5.4 holds management accountable for communicating |
| 5.3 | Segregation of duties | Prevents concentration of security functions that weakens the accountability structure 5.4 depends on |
| 5.10 | Acceptable use of information and other associated assets | Specifies the use policies that personnel must follow under 5.4’s enforcement mandate |
| 6.1 | Screening | Pre-employment checks that support the personnel security foundation 5.4 builds upon |
| 6.2 | Terms and conditions of employment | Provides the contractual mechanism for enforcing the security responsibilities 5.4 requires |
| 6.3 | Information security awareness, education and training | Delivers the competence and awareness that 5.4 mandates management to ensure |
| 6.4 | Disciplinary process | Provides the enforcement mechanism for violations of the responsibilities 5.4 establishes |
Frequently Asked Questions
What is ISO 27001 5.4?
ISO 27001 Annex A 5.4 is a control that requires management to actively ensure all personnel apply information security in accordance with the organization’s established policies and procedures. It shifts security from a passive compliance exercise to a leadership-driven mandate, making management accountable for communicating expectations, providing resources, and enforcing adherence across the workforce.
What happens if 5.4 is not implemented?
Without management enforcement of security responsibilities, policies become theoretical documents that personnel ignore in daily operations. This creates an environment where credential sharing, unauthorized data transfers, and unmonitored access go unchecked — leaving the organization exposed to insider threats and likely to fail an ISO 27001 certification audit due to missing evidence of management commitment.
How do you audit 5.4?
Auditors assess 5.4 by requesting evidence that management actively enforces security policy compliance: signed policy acknowledgements, security awareness training completion records, management review meeting minutes, and employment contracts with security clauses. Preparing for an ISO 27001 audit means having these artifacts ready before the assessor arrives. They will also interview personnel at various levels to verify that security responsibilities have been communicated and are understood — not just documented.
How UpGuard Helps
Track management accountability for personnel security across your organization and supply chain.
UpGuard User Risk helps security teams monitor and verify that personnel meet their information security obligations — from policy compliance tracking to identifying gaps in your workforce’s security posture. By centralizing visibility into how your organization and its vendors manage personnel security responsibilities, you can demonstrate the management oversight that control 5.4 demands. Learn more about UpGuard User Risk.