This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.5.4 Management responsibilities.
ISO 27001: 2022 Control Description
Management shall require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organisation.
Purpose
To ensure management understands their role in information security and takes action to ensure all personnel are aware of and fulfil their information security responsibilities.
Guidance on Implementation
Management should support the information security policy, specific policies, procedures, and controls. Their responsibilities should include ensuring that personnel:
a) Are properly briefed on their information security roles and responsibilities before being granted access to the organisation’s information and assets;
b) Are provided with guidelines stating the information security expectations for their roles within the organisation;
c) Are required to adhere to the organisation’s information security policy and specific policies;
d) Achieve a level of awareness of information security relevant to their roles and responsibilities within the organisation;
e) Comply with the terms and conditions of employment, contracts, or agreements, including the organisation’s information security policy and appropriate working methods;
f) Maintain appropriate information security skills and qualifications through ongoing professional education;
g) Are provided, where practicable, with a confidential channel for reporting violations of information security policy, specific policies, or procedures ("whistleblowing"). This should allow for anonymous reporting or ensure that the reporter's identity is known only to those handling the reports;
h) Are given adequate resources and project planning time for implementing the organisation's security-related processes and controls