Background
----------

ISO/IEC 27002:2022 clause 5.4 indicates that "Management should require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization [in order] to ensure management understand their role in information security and undertake actions aiming to ensure all personnel are aware of and fulfil their information security responsibilities."


Policy statements
-----------------

1.	Managers must mandate and overtly demonstrate their support for the organisation's information security policy policies, procedures and controls, allocating adequate resources and determining priorities accordingly.

2.	Management responsibilities include ensuring that workers: are made aware of their information security roles and responsibilities; comply with corporate policies, employment or service contracts or agreements, laws, regulations and ethical expectations; maintain adequate levels of awareness and compliance in practice.

3.	Information processes, systems and security controls must be overseen to ensure the residual information risks are acceptable, through appropriate supervision and/or inspection

4.	Routine oversight should be an integral part of operations, although additional oversight may be appropriate in particularly risky situations.

5.	Management should provide appropriate channels and mechanisms for reporting non-compliance, incidents, breaches, near-misses etc.


Notes
-----

This is a “skeleton” policy providing just the bare bones, the basic foundations on which to construct a custom policy for your organisation.  Jump-start the process by visiting www.SecAware.com for a more comprehensive customisable policy template in MS Word.