Navigating ISO 27001 Annex A: Control A.5.4

Welcome to our ISO 27001 Annex A Blog series:

Management's role in information security extends beyond setting policies; it's about fostering a culture of security throughout the organisation. Following our previous blog on ISO 27001 Annex A Control A.5.3, this fourth instalment focuses on Control A.5.4. This control highlights that security isn't merely an IT issue—it's a shared responsibility. We'll explore how management can transform intentions into everyday actions, ensuring each team member understands their role in protecting information. When leaders prioritise security, it becomes an integral part of the workplace culture, empowering everyone to contribute effectively.

Control A.5.4 – Management responsibilities requires that management ensure that information security responsibilities are assigned, communicated, and understood, and that personnel are aware of their personal responsibility for protecting information.

• Actively support information security objectives.
• Ensure policies and procedures are implemented in practice.
• Promote a culture where information security is seen as part of everyone’s job.

• Management statements demonstrating support for information security.
• Explicit reference to personal responsibility for information security.
• Visible management involvement in ISMS activities.

In short, this control turns leadership intent into day-to-day accountability.

You can have the best policies, tools, and controls in place, but if management treats information security as “an IT problem,” the ISMS will never mature.

This control matters because people follow what leadership prioritises.
If managers don’t take information security seriously, neither will their teams.

From an auditor’s perspective, Control 5.4 is often where the real culture of the organisation becomes visible. You can feel immediately whether security is lived or just documented.

Auditors don’t just read policies, they look for behavioural evidence.

Typical audit activities include:

• Reviewing management statements, meeting minutes, and communications
• Interviewing managers to understand how they support and enforce information security
• Asking employees who they think is responsible for information security and why
• Checking whether management actions align with stated policies

In audits, I often ask simple questions like: “What happens if a security rule is not followed?”
If the answer is vague, Control 5.4 usually needs attention.

• Make information security a standing agenda item in management meetings
• Use short, clear management messages instead of long policy documents
• Include information security responsibilities in performance discussions
• Reinforce accountability through real examples, not just theory
• Ensure managers are trained before expecting them to enforce controls

• Treating information security as purely technical
• Assuming “policy approval” equals leadership commitment
• Managers bypassing controls “because it’s urgent”
• No clarity on who is accountable when something goes wrong
• Employees unaware they personally carry security responsibilities

One of the most common audit findings I see is that management support exists on paper, but not in behaviour. Auditors notice that very quickly.

Control 5.4 is about tone from the top, but also about consistency throughout the organisation.
When management takes ownership of information security, controls become easier to implement, audits become smoother, and incidents become less frequent.

From my auditing experience, organisations that get this control right rarely struggle with the rest of Annex A. Leadership makes the difference!