If you have been working with ISO 27001 for a while, you know that the 2022 update brought some significant shuffling to the Annex A controls. One of the most critical areas for any Information Security Management System (ISMS) is how leadership stays involved. In the 2022 version, this is covered under Control 5.4: Management Responsibilities.
But what actually changed between the old 2013 framework and the new 2022 update? If you are looking at your compliance roadmap and wondering if you need to overhaul your management processes, here is everything you need to know about the transition for Annex A 5.4.
Table of contents
The Shift from A.7.1.1 to 5.4
In the ISO 27001:2013 version, management responsibilities sat within the Human Resources Security section, specifically under Control A.7.1.1. It was tucked away in a spot that primarily focused on what happened before, during, and after employment.
In the ISO 27001:2022 update, this control was moved to the “Organizational” category and renamed Control 5.4. While the core intent remains similar, the move reflects a broader understanding of information security. It isn’t just an HR checkbox anymore; it is a fundamental organizational requirement. According to Hightable.io, this shift highlights that management’s role in security is constant and integrated into the daily operations of the business, rather than just a hiring or firing formality.
What Does Annex A 5.4 Require Now?
The essence of Annex A 5.4 is ensuring that management requires all employees and relevant external parties to apply information security in accordance with the established policies and procedures of the organization.
The goal is to move security from a “suggestion” to a “requirement.” Management must ensure that everyone knows what is expected of them and that there are consequences or procedures in place if those expectations aren’t met. It’s about creating a culture of accountability that starts at the top.
Key Differences in the 2022 Version
While the fundamental requirement for managers to lead by example hasn’t changed, the 2022 version introduces a more streamlined and modern approach to how this is audited and documented.
The most notable change is the emphasis on “relevant external parties.” In our modern, interconnected world, your security is only as strong as your weakest link—which is often a contractor or a service provider. The 2022 version makes it clearer that management’s responsibility extends to ensuring these external partners are also following the rules. Hightable.io notes that this increased scope requires more robust communication and verification processes than were typically seen under the 2013 standard.
Additionally, the 2022 version aligns better with the concept of “Security Attributes.” You can now categorise this control by its purpose (Governance), its information security properties (Confidentiality, Integrity, Availability), and its operational capabilities. This makes it much easier for modern security teams to map their controls to other frameworks.
How to Implement the Updated 5.4 Control
Transitioning to the 2022 version doesn’t mean you have to start from scratch, but you should refine your approach. To satisfy the requirements of Annex A 5.4, management should focus on three main areas:
1. Clear Communication: Managers must ensure that every team member is aware of their security roles. This isn’t just a one-time email during onboarding; it’s an ongoing dialogue. High-level policies should be translated into actionable steps that make sense for specific departments.
2. Leading by Example: It is difficult to enforce a clean desk policy or multi-factor authentication if the leadership team isn’t doing it. Management must demonstrate their commitment to the ISMS through their own actions.
3. Establishing Accountability: There must be a clear process for when things go wrong. Whether it’s a formal disciplinary process for policy violations or a recognition program for security-conscious behavior, management must show that security is a priority that carries weight within the company.
The Verdict: Evolution, Not Revolution
The change from ISO 27001:2013 A.7.1.1 to ISO 27001:2022 5.4 is an evolution. It takes a control that was previously siloed in HR and places it exactly where it belongs: at the heart of organizational governance. By broadening the scope to include external parties and emphasizing continuous accountability, the 2022 version provides a much more realistic framework for managing security in the modern age.
If you are currently transitioning, focus on documenting how management communicates expectations and how they verify that those expectations are being met. As Hightable.io suggests, the key is to prove that management isn’t just aware of the security policy, but is actively driving its success.