richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-5.4-Management-responsibilities.md

2.2 KiB
Raw Blame History

#iso27002/2022/EN

5.4 Management responsibilities

Control

Management should require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization.

Purpose

To ensure management understand their role in information security and undertake actions aiming to ensure all personnel are aware of and fulfill their information security responsibilities.

Guidance

Management should demonstrate support of the information security policy, topic-specific policies, procedures and information security controls.

Management responsibilities should include ensuring that personnel:

a)   are properly briefed on their information security roles and responsibilities prior to being granted access to the organizations information and other associated assets;

b)   are provided with guidelines which state the information security expectations of their role within the organization;

c)   are mandated to fulfill the information security policy and topic-specific policies of the organization;

d)   achieve a level of awareness of information security relevant to their roles and responsibilities within the organization (see 6.3);

e)   compliance with the terms and conditions of employment, contract or agreement, including the organizations information security policy and appropriate methods of working;

f)   continue to have the appropriate information security skills and qualifications through ongoing professional education;

g)   where practicable, are provided with a confidential channel for reporting violations of information security policy, topic-specific policies or procedures for information security (“whistleblowing”). This can allow for anonymous reporting, or have provisions to ensure that knowledge of the identity of the reporter is known only to those who need to deal with such reports;

h)   are provided with adequate resources and project planning time for implementing the organizations security-related processes and controls.

Other information

No other information.