ISO27001:2022 - Annex A 5.4 - What's changed?

Threats to your organisation’s privacy and security are continuously on the rise, and it's more vital than ever to ensure your organisation implements measures to combat these threats. ISO27001 as a standard lays out the requirements to implement an efficient information security system within your organisation and with the introduction of the 2022 version of the ISO27001 standard, these requirements have been recategorised and further clarified. Annex A 5.4 is about management responsibilities.

What are management responsibilities?

Coordinating information security responsibilities at a management level is critical in the smooth running of your organisation's ISMS and establishing an effective culture of security from the top down. Management is directly responsible for the effectiveness, efficiency, and continual improvement of an ISMS. This is achieved through various means.

Leadership and commitment

Management is expected to display leadership and commitment to the implementation and maintenance of an ISMS through all levels of the organisation.

Resource allocation

It is essential that management allocates sufficient financial, human, and technological resources to an ISMS so that it can remain efficient and functional in protecting your assets and operations.

Risk management

A robust risk management process should be established, implemented, and maintained to continually identify, assess, and treat potential risks to security. This should be continuously facilitated by management.

Objectives and planning

Management should establish S.M.A.R.T. information security objectives and targets, develop plans to achieve them, and regularly review the performance of the ISMS against these objectives.

Monitoring and measurement

Management should establish processes for monitoring, measuring, and evaluating the overall performance of the ISMS. This should include the effectiveness of controls and achievement of previously established security objectives.

Support and training

Employees should be supported by management to ensure they have the ability and knowledge to perform their information security responsibilities and duties. This should be done by facilitating regular training, support, and awareness programs and communications.

Communication

Management is responsible for making sure that information regarding the organisation’s security matters is effectively communicated internally, externally, and to any relevant interested parties.

Review and audit

Regular reviews and audits should be conducted of the ISMS to ensure its effectiveness, identify potential areas for improvement, and continually ensure compliance with ISO27001 and other applicable standards and legislations.

Compliance

Management must ensure that the organisation is continually complying with relevant laws, regulations, contractual obligations, and other requirements related to information security.

Continual improvement

It is important for management to establish a culture of continual improvement by taking corrective and preventative actions (CAPAs) and regularly reviewing and improving the ISMS. Actions such as regular management meetings and other meetings and reviews pertaining directly to the ISMS can help establish this.

What is Annex A 5.4?

Annex A 5.4 is all about management responsibilities and the responsibility of management to ensure every employee and contractor is equipped and capable of handling their information security obligations. The control requires that managers understand information security threats, risks, and the controls being applied to preserve the organisation’s assets and operations. Managers should facilitate their employees’ ability to perform their roles with appropriate understanding of information security and their own obligations in terms of the organisation’s policies and procedures. This also includes setting a good precedent by leading by example.

Establishing managerial responsibilities is not only applicable to ISO27001; This is often a requirement of standards and legislations pertaining to information security and otherwise. One such example of this is the NHS DSP (Data Security and Protection Toolkit), a self-assessment tool that must be completed by any organisation that wishes to access NHS data or systems. This, for example, ties directly into evidence 1.3.9, which requires the organisation to set data security and protection direction at a management level, and translate this into effective organisational practices.

So what’s changed?

In terms of the 2013 standard, this control maps directly to A.7.2.1, management responsibilities. ISO27002 is a standard closely aligned to ISO27001, and is essentially guidance on how to effectively implement an ISMS to ISO27001 standards. We can compare the changes in ISO27002 guidelines for each control to concretely ascertain what has changed with the ISO27001 version of the control.

The 2013 version of the guidelines require that management ensures that employees and contractors:

• Are briefed and understand their roles in terms of information security and their responsibilities before being given access to any confidential information or information systems.
• Are given specific guidelines which state the information security requirements and expectations of their role.
• Are sufficiently motivated to abide by the information security policies of the organisation.
• Are trained to reach a level of awareness on information security as required by their role within the organisation.
• Abide by the terms and conditions of their employment.
• Are educated on information security on a regular basis and maintain the level of skills and qualifications required by their role in the organisation.
• Are able to access an anonymous reporting channel to report any non-conformities and violations of internal policies and procedures.

Many of the updated guidelines are similar, but there are a few changes and additions. With the changes in the 2022 version of the guidelines, management is now expected to ensure that employees and contractors:

• Are briefed and understand their roles in terms of information security and their responsibilities before being given access to the organisation’s information or assets.
• Are given specific guidelines which state the information security requirements and expectations of their role.
• Are required to abide by the information security policy and topic-specific policies of the organisation.
• Are trained to reach a level of awareness on information security as required by their role within the organisation.
• Remain compliant with the terms and conditions of employment, contract or agreement, including the organisation's internal policies and procedures, relating to information security and otherwise.
• Have ongoing education to ensure a good level of information security skills and qualifications as required by their role.
• Are provided with a confidential channel for reporting any violations on internal information security policies and procedures which allows for anonymous reporting, or sufficient measures to ensure the identity of the reporter is protected and only known to those who need to deal with the report.
• Are provided with the resources and time required for ensuring the organisation’s security-related processes and controls are sufficiently implemented and accounted for.

How Harpe can help you implement Annex A 5.4

Our security professionals have developed Harpe, a revolutionary tool to cover all your organisation’s security needs. Harpe is the best tool on the market to make compliance with important standards like Cyber Essentials and ISO27001 quick and hassle-free. Harpe features guidance for implementing ISO27001 to the updated 2022 standard with everything you need. Our in-app checklist takes you through every step to implement a robust and secure ISMS within the new requirements.

Harpe helps you to define the responsibilities of your team at each step, with tools specifically to aid in management of your ISMS and defining the responsibilities of your management team. We make it easy to establish your objectives, plan your management meetings, and manage your CAPAs (corrective and preventive actions). With our in-application training tools, we can help you create a security culture in your organisation to ensure your assets and data stay safe, facilitating the continuous training of your employees. Harpe makes the management process easy throughout all levels of your organisation.

With constant updates and fast support, there has never been a better time to chase an ISO27001:2022 certification with Harpe.

‍

_{Image designed by Freepik}