Management Policy Accountability
Confluence page header
Page title: Management Policy Accountability
Parent: ISMS Home
SCM variant: isms-management (primary read access)
isms-security (full access — CISO maintains this page)
isms-all-staff: NOT visible
isms-it-staff: NOT visible
Page owner: CISO
Last reviewed: [DATE]
Next review: [DATE + 12 months — reviewed annually at management review]
Purpose of this page
This page exists because ISO 27001, NIST SP 800-171, CMMC, and DEFSTAN 05-138 all treat management accountability as distinct from the security team's operational responsibilities. Assessors from certification bodies, C3PAO assessors, and DEFSTAN contracting authorities will interview management — not just IT staff — to verify that senior leaders understand their security obligations, have actively fulfilled them, and can point to evidence.
The most common finding at ISO 27001 management interviews is not that management is uninformed — it is that management accountability is concentrated in the CISO rather than distributed across the leadership team. Policies signed by a CISO who reports to a director who has never reviewed the policy do not satisfy ISO 27001 clause 5.1 (leadership and commitment). This page defines what each management role must do, not what the security team does on their behalf.
Three things this page is not: it is not a repetition of the policies themselves; it is not a technical procedure; and it is not a list of what the security team does. It is the accountability map — who owns what, what action is required, and what sign-off is needed.
Section 1 — The accountability hierarchy
How accountability flows from the board through senior management to line managers, and why each level has distinct obligations.
Why this hierarchy matters for compliance
ISO 27001 clause 5.1 requires that top management demonstrate leadership and commitment by: taking accountability for the effectiveness of the ISMS; ensuring the information security policy is established, communicated, and compatible with strategic direction; ensuring ISMS objectives are established; ensuring integration of ISMS requirements into the organisation's processes; ensuring resources are available; and communicating the importance of effective information security management.
The clause explicitly says "top management" — not the CISO. An ISO 27001 auditor who asks a board member "what is your role in the ISMS?" and receives "I trust the CISO to manage that" will record a nonconformity.
CMMC 32 CFR 170 requires a senior company official — a named director or officer, not the CISO — to annually affirm that the organisation's cybersecurity assessment is accurate. False affirmation creates personal liability under the False Claims Act. The senior official must genuinely understand what they are affirming.
DEFSTAN 05-138 Profile 1 §Governance requires a named individual accountable for security — described in DEFSTAN terms as the organisation's "senior responsible owner" for information security. This is typically the CISO or an equivalent, but the contracting authority expects that individual to have direct access to and the confidence of senior leadership.
The accountability levels
LEVEL 1 — BOARD / GOVERNING BODY
What they own: the strategic direction of the ISMS; ultimate accountability
for the organisation's security posture; specific board-level decisions
(material risk acceptance, major investment, scope of certification)
Who this is: [Directors / Board members — name]
How often they engage: Annual (management review + CMMC affirmation);
immediately on significant incident
LEVEL 2 — SENIOR MANAGEMENT (Directors, Heads of Function)
What they own: policy approval; risk appetite; resource allocation;
management review participation; management decisions escalated from CISO
Who this is: [List of named senior managers and their roles]
How often they engage: Quarterly (risk posture review); annually (management
review); immediately on escalated incidents or compliance decisions
LEVEL 3 — CISO
What they own: the ISMS programme; all operational security decisions within
the risk appetite; evidence production; all assessor-facing activity;
escalation to senior management when decisions exceed CISO authority
Who this is: [CISO Name]
How often they engage: Continuously operational
LEVEL 4 — LINE MANAGERS
What they own: enforcement of policies within their teams; JML process
initiation; security culture; access confirmation at quarterly access reviews;
escalation of incidents or concerns observed in their teams
Who this is: All managers with direct reports in the ISMS scope
How often they engage: Per event (JML, incidents); annually (access review
confirmation, training completion chase)
LEVEL 5 — INDIVIDUAL CONTRIBUTORS (IT STAFF AND ALL STAFF)
Covered in the policy documents and Fundamental Controls pages
Not in scope for this page
Section 2 — Board and senior management sign-off requirements
These are the decisions that cannot be delegated to the CISO. They require documented approval by the named authority. Each item identifies what evidence of approval is retained.
Annual obligations — must be completed every year
| Obligation | What is required | Authority required | Evidence retained | Deadline |
|---|---|---|---|---|
| Policy suite annual re-approval | All 12 ISMS policies reviewed and re-approved for the coming year. The CISO may propose changes; the approving authority confirms they have read and agreed the current content. | Senior management (Director or equivalent) for each policy — see Section 3 for per-policy approval authorities | Signed approval record or Confluence page sign-off (page version + date + name) for each policy | Before the annual management review |
| Risk appetite statement confirmation | The risk appetite thresholds on the Management Risk Posture page reviewed and confirmed as still appropriate. Any change to thresholds requires explicit documentation. | Senior management — ideally the same authority as the management review chair | Management review minutes (EV-A01) recording that risk appetite was reviewed and confirmed | At annual management review |
| ISMS scope statement confirmation | The scope of the ISMS (which systems, sites, processes, and information) reviewed and confirmed as accurate. Any scope change must be reflected in the SSP within 30 days. | CISO (operational decision) + Senior management (endorsement at management review) | Management review minutes (EV-A01); SSP updated within 30 days if scope changed | At annual management review |
| CMMC senior official affirmation | A named senior official (Director or equivalent — not the CISO alone) affirms that the annual CMMC self-assessment is accurate and that the SPRS score reflects the organisation's actual implementation status. False affirmation creates personal liability under the False Claims Act. | Director or equivalent (the specific required seniority level is defined in 32 CFR 170.4) | Signed senior official affirmation statement (EV-E03 component) | Before SPRS submission deadline |
| Annual management review | Formal review of ISMS performance, risk posture, audit results, and resource decisions. ISO 27001 clause 9.3 requires documented inputs and outputs. | Top management participation required — not delegated to CISO | Management review minutes (EV-A01) | Annual — date set at beginning of each year |
| ISMS security objectives | Approval of the security objectives for the coming year, with measurable targets and resource commitment. | Senior management | Documented in management review minutes (EV-A01) | At management review |
| Internal audit programme | Approval of the annual internal audit programme, confirming scope, auditor independence, and schedule. | Senior management | Audit programme document with approval signature | Q1 of each year |
Threshold-based obligations — required when triggered
These obligations arise when specific events or thresholds are reached. They are not annually scheduled — they require management action on the terms defined below.
Material risk acceptance
Trigger: A risk in the register has a residual rating that exceeds the stated risk appetite, and the CISO has determined that the risk cannot be brought within appetite without a management decision on investment or scope.
What is required: The named management authority reviews the risk (from the Management Risk Posture page or directly from the risk register), understands the residual exposure, and makes one of three decisions: fund treatment to bring the risk within appetite; formally accept the elevated risk with documented rationale; or direct that the risky activity be avoided.
Authority required: - Residual High risk (10–19): CISO may accept within the ISMS operational mandate, but must notify senior management. Senior management confirmation is required if the risk has remained High for more than 90 days. - Residual Very High risk (20–25): Senior management sign-off required. Board notification required if the Very High risk relates to CUI confidentiality or a DEFSTAN contractual obligation. - Any risk acceptance where realisation would trigger DFARS reporting, DEFSTAN authority notification, or ICO notification: Director-level sign-off required.
Evidence retained: Risk acceptance record (child page of 05 · Risk Register, or within the risk register entry itself) containing: risk ID, residual rating, acceptance rationale, compensating controls in place, named acceptor signature, review date.
ISMS scope change
Trigger: A new system, site, process, or information type is proposed for inclusion in the ISMS scope, or a currently in-scope element is proposed for exclusion.
What is required: Senior management confirmation that the scope change is appropriate and that the SSP will be updated. The CISO presents the proposed change with its compliance implications (e.g. adding a new site to scope extends Cyber Essentials coverage obligations).
Authority required: CISO proposes; Director endorses at management review or via documented out-of-cycle approval.
Evidence retained: Management review minutes or out-of-cycle approval record; SSP update dated within 30 days of approval.
Security certification investment decisions
Trigger: A treatment investment proposal is brought to management by the CISO because a risk cannot be brought within appetite through operational means alone.
What is required: Senior management reviews the CISO's proposal (documented in the Management Risk Posture page — Treatment Investment Decisions section), evaluates the options presented, and makes a decision: approve, approve with modifications, defer, or decline.
Authority required: Director or equivalent for investments requiring budget approval above CISO operational authority.
Evidence retained: Management actions and decisions log (Section 8 of Management Risk Posture page); budget approval documentation.
Significant security incident
Trigger: A security incident classified as Class 2 or above (execution suspected, confirmed breach, or ransomware). Class 1 incidents (automatic remediation, no execution) do not trigger management escalation unless there is a pattern.
What is required: - Class 2 (execution suspected): Senior management notified within 4 hours of CISO notification. No management decision required unless the incident reveals a material risk that changes the risk posture. Management confirms whether regulatory notifications are required. - Class 3/4 (confirmed breach or ransomware): Director-level involvement from initial notification. Management makes decisions on: external communications; regulatory notifications (DFARS 72-hour, ICO 72-hour, DEFSTAN 24-hour); business continuity activation; and whether legal counsel should be engaged.
Authority required: For regulatory notification decisions: Director-level. The CISO initiates the process; the Director confirms that notification is appropriate.
Evidence retained: EV-D12 incident record (CISO maintains); regulatory notification records (CISO files); management decision log updated by CISO post-incident.
DEFSTAN contracting authority notification
Trigger: Any of the following events on a DEFSTAN-scoped contract: personnel with named OFFICIAL access departing; personnel with SC/DV clearance departing; security incident affecting OFFICIAL information; significant change to security architecture affecting OFFICIAL systems.
What is required: The CISO prepares the notification. The CISO's authority covers initiating the notification. However, the contracting authority communication record should be reviewed by a Director for incidents involving potential breach of OFFICIAL data — the Director's awareness is the accountability evidence.
Authority required: CISO initiates; Director aware and confirming appropriateness of the notification content for significant incidents.
Evidence retained: EV-E → DEFSTAN → [Contract ref] → Contracting Authority Correspondence.
New defence contract requiring CMMC or DEFSTAN compliance
Trigger: A new contract is bid for or awarded that introduces a new compliance obligation — a new CMMC scope, a new DEFSTAN profile level, a new Cyber Essentials requirement.
What is required: The CISO assesses the compliance gap between the new obligation and the current posture, presents the gap analysis to management, and obtains a commitment on the resources needed to close the gap before the contract commencement date.
Authority required: Director or contract owner approves the compliance commitment alongside the commercial commitment. The organisation should not accept a contract with a compliance obligation it is not resourced to meet.
Evidence retained: Management decision log; gap analysis document; resource commitment record.
Section 3 — Per-policy sign-off requirements
For each of the twelve ISMS policies, this table defines who must approve the policy annually, what the approval process looks like, and where the evidence is retained. The CISO reviews and drafts proposed policy content; the approving authority confirms and signs.
Why annual re-approval matters
ISO 27001 clause 5.2 requires that the information security policy is established, communicated, and reviewed. It does not specify a frequency — but "at planned intervals" combined with the certification body expectation of annual review means all major policies are reviewed annually. More importantly, an ISO 27001 auditor will ask the approving signatory what they reviewed and what they approved. A policy that was signed in 2021 and has not been touched since will not survive this question at a 2025 surveillance audit.
The sign-off process is not a rubber stamp. The approving authority is expected to have read the policy and to be able to confirm that it remains appropriate for the organisation's current context. Where circumstances have changed — a new contract, a new business unit, a regulatory change — the policy content should reflect that change before sign-off.
| Policy | Approving authority | Annual review process | Evidence retained | Confluence location |
|---|---|---|---|---|
| 01 · Information Security Policy | [Director — Managing Director / CEO / Board Chair] This is the top-level policy. ISO 27001 clause 5.2 requires it to be approved by top management. | CISO drafts any proposed changes → Director reviews at management review or in a dedicated session → Director signs the Confluence page or provides a dated written approval | Management review minutes (EV-A01) confirming policy was reviewed; Confluence page version history showing date of last update | 01 · Policies → Policy 01 |
| 02 · Acceptable Use Policy | [Director — or delegated to HR Director with CISO co-approval] This policy governs staff behaviour; its legitimacy as an enforceable standard requires appropriate authority. | HR Manager proposes changes (especially if employment law or company handbook has changed) → CISO confirms security requirements remain addressed → approving authority signs | Policy version page with approval date; EV-A09 (ISMS communications — evidence this policy was communicated to all staff) | 01 · Policies → Policy 02 |
| 03 · Access Control Policy | [IT Manager + CISO co-approval] This is an operational policy; CISO approval is the primary control, but IT Manager must confirm operational feasibility. | CISO reviews against current system configuration (any new systems added? any control changes?) → IT Manager confirms operational implementation is current → CISO signs | Policy version page | 01 · Policies → Policy 03 |
| 04 · Information Classification and Handling Policy | [CISO — with Director awareness] Classification policy has compliance implications for CMMC and DEFSTAN; Director should be aware of any changes that affect how CUI or OFFICIAL is handled. | CISO reviews → any change to CUI or OFFICIAL classification requirements flagged to Director → CISO signs; Director informed at management review | Policy version page; management review minutes noting classification policy status | 01 · Policies → Policy 04 |
| 05 · HR Security Policy | [HR Director or HR Manager + CISO co-approval] This policy governs employment lifecycle security — screening, contracts, disciplinary process, leaver obligations. HR owns the process; CISO owns the security requirements. | HR Manager proposes changes (especially employment law changes) → CISO reviews security requirements → both sign | Policy version page with dual sign-off | 01 · Policies → Policy 05 |
| 06 · Incident Management Policy | [CISO — with Director awareness] The IRP and this policy define the incident response capability. Directors need to understand their role at escalation; they do not need to approve the technical process. | CISO reviews → any change to regulatory notification obligations (DFARS, ICO, DEFSTAN clocks) flagged to Director → CISO signs; Director briefed at management review | Policy version page; management review record confirming Director was briefed on notification obligations | 01 · Policies → Policy 06 |
| 07 · Business Continuity Policy | [Director — or Operations Director] Business continuity has executive consequences; its scope and investment level is a management decision, not a technical one. | Operations or IT Manager proposes changes → Director reviews RTO/RPO commitments (are they still achievable?) → Director signs | Policy version page with Director signature | 01 · Policies → Policy 07 |
| 08 · Change Management Policy | [IT Manager + CISO co-approval] Operational policy governing how system changes are managed. | IT Manager reviews CAB composition and change categories → CISO reviews security impact analysis requirements → both sign | Policy version page with dual sign-off | 01 · Policies → Policy 08 |
| 09 · Supplier Security Policy | [Procurement Director / Commercial Director + CISO co-approval] Supplier security affects contractual relationships; the commercial team must be aligned with the security requirements placed on suppliers. | CISO reviews security requirements → Procurement/Commercial Director confirms requirements are being applied in practice at contract negotiation → both sign | Policy version page with dual sign-off | 01 · Policies → Policy 09 |
| 10 · Physical Security Policy | [Facilities Manager + CISO co-approval] Physical security is operationally owned by Facilities; CISO ensures it meets ISMS requirements. | Facilities Manager reviews any building changes (new zones, relocated equipment, new contractors) → CISO confirms requirements remain appropriate → both sign | Policy version page with dual sign-off | 01 · Policies → Policy 10 |
| 11 · Cryptography and Encryption Policy | [CISO — with Director awareness for DEFSTAN contracts] Cryptography policy has FIPS validation implications for CMMC and government-approved cryptography implications for DEFSTAN. | CISO reviews → any change to FIPS certification obligations or NCSC guidance flagged to Director for DEFSTAN contracts → CISO signs; Director aware | Policy version page | 01 · Policies → Policy 11 |
| 12 · Data Protection and Privacy Policy | [Data Protection Officer (if appointed) + CISO + Director] UK GDPR requires the organisation to have documented data protection policies. The DPO, if appointed, has an independent role in ensuring compliance; the Director is ultimately accountable to the ICO. | DPO reviews any regulatory changes (ICO guidance, EDPB guidance) → CISO confirms technical controls remain appropriate → Director signs as the accountable party for ICO purposes | Policy version page with Director signature; ICO registration renewal as corroborating evidence | 01 · Policies → Policy 12 |
Policy review log
Maintained by the CISO. Updated after each annual review cycle. Provides an at-a-glance view of which policies are current and which are due for review.
| Policy | Current version | Last approved | Approved by | Next review due | Status |
|---|---|---|---|---|---|
| 01 · Information Security Policy | [v1.N] | [Date] | [Name, Role] | [Date] | [Current / Due / Overdue] |
| 02 · Acceptable Use Policy | [v1.N] | [Date] | [Name, Role] | [Date] | [Current / Due / Overdue] |
| 03 · Access Control Policy | [v1.N] | [Date] | [Name, Role] | [Date] | [Current / Due / Overdue] |
| 04 · Information Classification | [v1.N] | [Date] | [Name, Role] | [Date] | [Current / Due / Overdue] |
| 05 · HR Security Policy | [v1.N] | [Date] | [Name, Role] | [Date] | [Current / Due / Overdue] |
| 06 · Incident Management Policy | [v1.N] | [Date] | [Name, Role] | [Date] | [Current / Due / Overdue] |
| 07 · Business Continuity Policy | [v1.N] | [Date] | [Name, Role] | [Date] | [Current / Due / Overdue] |
| 08 · Change Management Policy | [v1.N] | [Date] | [Name, Role] | [Date] | [Current / Due / Overdue] |
| 09 · Supplier Security Policy | [v1.N] | [Date] | [Name, Role] | [Date] | [Current / Due / Overdue] |
| 10 · Physical Security Policy | [v1.N] | [Date] | [Name, Role] | [Date] | [Current / Due / Overdue] |
| 11 · Cryptography Policy | [v1.N] | [Date] | [Name, Role] | [Date] | [Current / Due / Overdue] |
| 12 · Data Protection Policy | [v1.N] | [Date] | [Name, Role] | [Date] | [Current / Due / Overdue] |
Section 4 — Line manager enforcement responsibilities
Line managers are not security professionals. This section defines precisely what line managers are responsible for enforcing within their teams — nothing more, nothing less — and what they should escalate rather than attempt to resolve themselves.
Why line manager accountability matters
The CISO cannot observe every team. Security culture — the degree to which staff actually follow policies rather than technically complying with them while finding workarounds — is created or undermined at the team level. A line manager who enforces the clear desk policy, challenges tailgating, and promptly initiates the leaver process when someone resigns creates a security posture that no technical control can substitute for. A line manager who says "don't worry about the VPN if it's slow" or "just use your personal phone for this" actively undermines the technical controls.
ISO 27001 clause 6.1.2 (risk assessment) includes people-based threats in scope — insider threat, accidental disclosure, and behavioural risk. These are managed partly through technical controls and partly through the line management chain. An ISO 27001 auditor who asks line managers about their security responsibilities expects substantive answers.
What every line manager must do
These obligations apply to all line managers who have direct reports with access to CUI-scope systems, OFFICIAL information, or systems within the ISMS boundary.
Obligation 1 — Initiate the joiners process before a new person's first day
When a new team member is confirmed: - Notify IT Operations and HR via the ITSM onboarding ticket — not email; not verbal - Confirm the person's role and the specific systems they will need access to - Do not tell the new person they will have access to specific systems until IT Operations confirms access is provisioned — you do not know what screening gate has cleared or not cleared - Do not provision ad-hoc access yourself ("just share your login for now") under any circumstances - If the new person arrives and their account is not ready: contact IT Operations, not the CISO; do not use workarounds
The CISO's obligation at this stage: none — until the IT Operations provisioning ticket is raised. If the ticket is not raised, the access does not get provisioned correctly, and the JML evidence (EV-D03) will show a gap.
Obligation 2 — Initiate the leaver process on the day a resignation or departure is confirmed
When a team member confirms they are leaving, or when you are informed that a contract is ending: - Submit the ITSM leaver ticket the same day — not on the final day; on the day the departure is confirmed - Reason: IT Operations targets account deactivation within 1 hour of the final working day. If they do not know the final day until it arrives, they cannot meet that target. The earlier you notify, the longer the preparation window. - Confirm the final working day in the ITSM ticket - On the final day: confirm to IT Operations that the individual has completed their working day and collected their belongings before IT Operations deactivates the account - Do not agree to extended access ("can they keep their email for two weeks?") without explicit CISO approval — this creates a compliance gap in the EV-D04 leaver record
What you are not responsible for: the technical account deactivation (IT Operations), the ACS card deactivation (Facilities), the SIEM pre-departure review (CISO), the NDA confirmation (HR). You initiate; others execute within their areas.
Obligation 3 — Confirm access rights at the annual access review
Once a year, the IT Manager runs an all-user access review (EV-D02). You will receive a request listing the access rights your team members currently hold and asking you to confirm each one is still appropriate.
Your obligation is to respond within the stated deadline (typically 10 working days) with a confirmation or challenge for each person in your team. You are the person best placed to know whether someone's role has changed and whether their access still reflects what they actually need.
Do not confirm access you cannot verify. If a team member is on secondment, on long-term leave, or has had their role change since the last review, flag it — do not assume it will be caught elsewhere.
If you miss the deadline: the access review evidence (EV-D02) will show your team as unreviewed for that cycle. This is an audit finding.
Obligation 4 — Report security concerns about team members promptly
You are the first to notice: the person who is stressed about a redundancy and has been copying large volumes of files; the contractor who is asking questions about systems outside their scope; the team member who told you they have been approached by a competitor; the person whose behaviour changed after they submitted their resignation.
These are not IT problems — they are management observations that may be indicators of insider risk. Your obligation is to report them to the CISO promptly. The CISO will assess whether any monitoring or action is appropriate and will advise you on how to proceed.
You are not expected to investigate. You are expected to report. "I wasn't sure if it was serious enough" is not an acceptable reason for not reporting — the CISO will make the seriousness determination.
Obligation 5 — Enforce clear desk and screen lock within your team
When you observe a team member's unattended workstation with an unlocked screen and visible information: tell them. When you observe printed materials with CUI or OFFICIAL markings left on a desk overnight or when the team member leaves the area: tell them, and if it is a repeated occurrence, report it to the CISO.
You are not responsible for checking every desk. You are responsible for setting the expectation within your team that these rules are not optional. A single conversation when you observe a breach is more effective than any policy document.
Obligation 6 — Ensure your team's annual security training is completed on time
Every person in your team must complete the annual security awareness training by the stated completion deadline. You will receive a report from the LMS showing completion status for your team members.
Your obligation: - Chase non-completions within your team before the deadline - Escalate persistent non-completions to HR (not the CISO) if direct reminders from you have not worked - If a team member is on leave during the training window: ensure they complete it promptly on their return; their completion deadline extends proportionally
You are not responsible for the training content, the platform, or the aggregate organisational completion rate. You are responsible for your team.
The CISO's escalation path for non-completion: CISO notifies line managers whose team members have not completed by week 3 of the 4-week window; if still incomplete at the deadline, the CISO notifies HR for the non-completion to be managed as a policy breach under the disciplinary policy.
Obligation 7 — Observe and enforce physical security within your area
When you observe a visitor or contractor in Zone 2 or Zone 3 without an escort: challenge them politely and locate their host. You are not a security guard — you are expected to apply the same judgment you would if you saw an unfamiliar person wandering in your office without a badge.
When you observe tailgating (someone following a badge-holder through a controlled door without badging themselves): report it to Facilities Manager. You are not expected to physically stop anyone.
When a visitor is in a meeting room in your area: ensure they are with their host. Do not leave a visitor unattended in Zone 2 because "they're just in the meeting room" — Zone 2 workstations are visible from meeting rooms; CUI information on screens is visible to a visitor walking the corridor.
What line managers must escalate rather than handle themselves
| Situation | Who to contact | Do not |
|---|---|---|
| Suspected malware on a team member's device | IT Operations immediately (call, not email) | Tell the person to "just ignore it" or attempt to remove it yourself |
| Team member reports a phishing email | Confirm they have used the "Report phishing" button in their email client; if they clicked anything, call IT Operations immediately | Dismiss it as "probably nothing" |
| Team member's device or access card is lost or stolen | IT Operations (device) and Facilities Manager (card) — same day | Wait to report until the end of the day or until you are sure |
| You observe a team member copying large volumes of files to external storage | Report to CISO immediately | Confront the team member yourself; delete the files; attempt to investigate |
| A team member tells you they have received a suspicious request from "IT support" asking for their password | Confirm to them that real IT support will never ask for their password; they should report the contact to IT Operations | Assume it is legitimate because the caller sounded professional |
| A regulatory authority (ICO, HMRC, police) contacts you directly about an information security matter | Escalate to CISO immediately; do not respond to the regulatory authority | Attempt to handle the regulatory contact yourself; provide any information without CISO involvement |
| A DEFSTAN contracting authority contacts you directly about a security concern | Escalate to CISO immediately — DEFSTAN has a 24-hour notification clock; an informal conversation with a contracting authority contact before the CISO is aware could affect formal reporting obligations | Provide any assurances or information to the contracting authority contact before CISO briefing |
Line manager accountability — framework references
Line manager obligations are not invented for this ISMS. They flow from specific framework requirements:
ISO 27001: - Clause 6.1.2 — people-based threats (insider risk, accidental disclosure) are in scope for risk assessment; line managers are the primary detection mechanism - Clause 7.4 — management must communicate the importance of effective information security management; this happens through the line management chain - A.6.4 — disciplinary process for policy breach; line managers manage this through HR, not independently
NIST SP 800-171: - Control 3.9.2 — protect CUI during and after personnel actions; the leaver process is the operational expression of this control, and it depends on line managers initiating it promptly - Control 3.2.1 — ensure personnel are aware of security risks; training completion monitoring is line manager accountability
DEFSTAN 05-138: - Profile 1 §Personnel — personnel security obligations include access initiation and termination processes that line managers control at the point of origin
Section 5 — Management training and awareness obligations
What senior management and line managers are expected to know, and how that knowledge is evidenced.
What assessors ask management
When an ISO 27001 auditor, a C3PAO assessor, or a DEFSTAN contracting authority representative interviews management, these are the questions they typically ask:
To a Director: - What is your role in the ISMS? - When did you last review the information security policy? - What would you do if you were told the organisation had suffered a breach of defence contract data? - How do you know whether the organisation's security posture is adequate?
To a line manager: - What happens when someone in your team is leaving? - Have you ever seen a security issue in your team? What did you do? - When did your team last complete security awareness training? - What would you do if someone told you they thought their device was infected?
Answers that satisfy these questions are not about knowing technical details. They are about understanding the management role and being able to describe the process. A Director who says "I reviewed the information security policy at the management review in [month] — there were some changes to the data classification section following our new MOD contract, and I confirmed those changes were appropriate" has answered the question. A Director who says "the CISO handles all of that" has created an ISO 27001 clause 5.1 finding.
Management role-specific training requirements
| Role | Required training | Frequency | Evidence |
|---|---|---|---|
| Board / Directors | Annual security briefing from CISO: current threat landscape; posture summary; specific obligations (CMMC affirmation, DFARS, DEFSTAN notification); what to say (and not say) at assessment interviews | Annual — can be embedded in management review | Board / Director attendance at management review (EV-A01); separate CISO briefing record if done outside the review |
| All senior managers | Annual security awareness training (same as all-staff); management review participation; risk register orientation (from this page) | Annual training by [deadline]; management review attendance | EV-B05 (training completion — same evidence as all-staff); EV-A01 (management review attendance) |
| Line managers | Annual security awareness training; line manager-specific module covering JML obligations, insider threat awareness, and escalation protocol | Annual by [deadline] | EV-B06 (role-specific training — line manager module completion record) |
| Risk owners | Risk assessment methodology briefing (from CISO); risk register orientation | On appointment; annual refresh at management review cycle | EV-A08 (ISMS role competency) — risk owner training confirmation |
Briefing the CMMC senior official
The CMMC senior official affirmation is an annual obligation. Before the senior official can sign the affirmation, they must understand what they are affirming. The CISO provides the following briefing:
CMMC SENIOR OFFICIAL ANNUAL BRIEFING — AGENDA
1. What the affirmation says and what it means legally (5 minutes)
The senior official confirms that the annual self-assessment was conducted
according to the CMMC methodology, that the SPRS score accurately reflects
current implementation, and that any gaps are in an active POA&M.
This is not a statement that the organisation is perfectly secure — it is
a statement that the assessment was honest and the documentation is accurate.
False affirmation = personal liability under the False Claims Act.
2. Current SPRS score and what it means (10 minutes)
Current score: [N] / 110
Controls fully implemented: [N]
Controls with open POA&M items: [N]
CISO confirms the score is accurate as of today's date.
3. Open POA&M items (10 minutes)
For each open item: what the gap is (plain English); what we are doing about it;
when we expect it to be closed; what the risk is during the gap.
Senior official confirms they are satisfied these are being actively managed.
4. Affirmation signing (5 minutes)
Senior official signs the affirmation document, confirming date and title.
CISO files in EV-E → CMMC → Annual Affirmations → [YYYY].
Total briefing time: approximately 30 minutes
Frequency: Annual — before SPRS submission deadline
Section 6 — The annual management review — what you will be asked to do
A guide for management participants who are attending the annual management review, so they know what to expect and how to prepare.
What the management review is
The annual management review (EV-A01) is not a status update meeting — it is a formal governance event required by ISO 27001 clause 9.3. The certification body auditor will review the minutes at the next surveillance audit and will verify that: - Top management attended (not delegated to CISO only) - All nine required inputs were discussed - Decisions were made and documented - Actions were assigned with owners and dates
It is typically 90–120 minutes and should be treated as a board-equivalent agenda item.
What you need to have read before attending
Each management review participant should have reviewed:
BEFORE THE MANAGEMENT REVIEW — READ:
□ Management Risk Posture page — current quarter's summary
(This page: 05 · Risk Register → Management Risk Posture)
□ Prior management review minutes — what was agreed last year?
(EV-A → Management System → Management Reviews → [prior YYYY])
□ Policy review log (Section 3 of this page) — are any policies overdue?
□ CISO's pre-review briefing pack (distributed 1 week before the review)
Includes: metrics summary, audit results, risk posture delta, proposed objectives
What will be discussed and your role in each item
| Agenda item (ISO 27001 clause 9.3.2) | What the CISO presents | What management must do |
|---|---|---|
| Status of actions from previous review | Which actions from last year's review are complete / outstanding | Confirm completion; challenge any outstanding actions that have been open longer than the target date |
| Changes in external and internal issues | Threat landscape changes; new contracts; regulatory changes; business changes that affect ISMS scope | Confirm whether any business strategy changes affect the ISMS scope or risk appetite |
| Feedback on security performance | Security metrics summary (EV-F02 annual aggregation): patch compliance, MFA coverage, incident count, training completion | Ask questions about any metric that is outside target; confirm whether performance is acceptable |
| Results of risk assessments | Risk register summary: posture changes, top 5 risks, any risks exceeding appetite | Approve any formal risk acceptances proposed; confirm that risk appetite remains appropriate |
| Results of internal audit | Findings from the year's internal assessment, corrective actions status | Confirm all findings are appropriately resourced for closure |
| Supplier security performance | Any supplier incidents, assessment results, contractual concerns | Direct any changes to supplier security requirements |
| Training effectiveness | Completion rates, phishing click rate trend, any gaps | Confirm training programme is adequately resourced |
| Feedback from interested parties | Any customer, regulator, or contracting authority feedback | Confirm any response obligations |
| Opportunities for continual improvement | CISO's proposals for the coming year | Approve security objectives; allocate budget for approved investment proposals |
What the meeting must produce — documented outputs
The management review minutes must document:
Required ISO 27001 clause 9.3.3 outputs — must appear in the minutes:
1. Decisions on continual improvement opportunities
(Which CISO proposals were approved? Which were deferred? Which were declined?)
2. Any changes needed to the ISMS
(Scope, policy, processes, resources — what is changing for the coming year?)
3. Resource needs
(What budget or people commitments are being made? Who owns the delivery?)
Each output must be specific and actionable:
Not adequate: "The management team agreed to continue supporting the ISMS."
Adequate: "The management team approved the EDR platform upgrade at a cost of
£[X], to be implemented before the C3PAO assessment in Q[N] [YYYY].
Responsible: IT Manager. Budget authorised by: [Director Name]."
Section 7 — Frequently asked management questions
Answers to the questions senior management most commonly ask about their ISMS accountability obligations, written to be forwarded directly to the person asking.
Q: Do I need to read all 12 policies in full every year?
You need to read the policies you are the named approving authority for. For a Director approving Policy 01 (Information Security Policy), yes — you need to have read it. For a Director who is not the named approving authority for a specific policy, you need to have enough awareness to discuss it at the management review if asked. The CISO's pre-review briefing pack will flag any policies with material changes so you know where to focus your reading.
Q: What exactly am I signing when I affirm the CMMC assessment?
You are signing a statement that says: the organisation has conducted a self-assessment of its cybersecurity posture against the NIST SP 800-171 standard; that assessment was conducted using the prescribed methodology; the score entered in the SPRS database accurately reflects the organisation's current implementation status; and any gaps are documented in an active Plan of Action and Milestones. You are not signing a statement that the organisation is perfectly secure — you are signing that the assessment was honest. The CISO will brief you on the specific score, the specific gaps, and the specific treatment actions before you sign.
Q: If there is a security breach, what am I expected to do?
Your primary role in a breach is to make two decisions: whether to notify regulatory authorities (which the CISO will brief you on, with specific deadlines and consequences), and whether the organisation's external communications need to be managed (customers, media, contracting authority). The CISO manages the technical response. You are not expected to investigate or remediate — you are expected to make the decisions that require your authority.
Call the CISO directly. Do not try to assess the severity of the breach yourself before calling — the CISO needs to know immediately, not after you have decided whether it is serious enough to mention.
Q: Someone asked me about a security matter at an industry event — what should I say?
The organisation's security controls, architecture, and certification status are not confidential — our Cyber Essentials certificate is publicly verifiable, and our ISO 27001 certification can be confirmed through the certification body. What you should not discuss publicly: specific technical vulnerabilities; whether you are aware of any ongoing incidents; the specific systems or locations where CUI is processed; or our SPRS score.
If a customer or potential customer asks about our security posture, the CISO can provide an appropriate briefing pack. If you are unsure whether something is appropriate to share, ask the CISO before the conversation rather than after.
Q: A contracting authority representative asked me directly whether we are CMMC compliant. What do I say?
Say that the organisation has conducted its annual CMMC Level 2 self-assessment, the result has been submitted to SPRS, and you would be happy to arrange for the CISO to provide a detailed briefing or a formal compliance attestation. Do not make any statement about specific controls or gaps without the CISO present. The CMMC affirmation process is specific and legally significant — casual verbal assurances outside that process do not have the same standing and could create inconsistency with the formal record.
Q: My line manager did not initiate the leaver process for someone who left my department. Is that a security problem?
Yes, potentially. If the departing person had access to CUI-scope systems and the account was not deactivated on their final day, there is a period of unauthorised potential access that is a compliance gap. Contact IT Operations and the CISO immediately. The CISO will check whether the account has been used since departure and will document the gap in the corrective action register. This is a process failure that requires a corrective action, not a crisis — but it needs to be discovered now rather than at the next access review.
Section 8 — Management accountability evidence log
The CISO maintains this log as evidence that management accountability has been exercised. It is reviewed at ISO 27001 surveillance audits and may be presented to contracting authorities. Add an entry whenever a management accountability action is completed.
Format per entry:
[DATE] [Action type] [Brief description] [Authority who completed it]
Action types:
POLICY-APPROVAL — annual policy sign-off
RISK-ACCEPTANCE — formal risk acceptance above CISO authority
INVESTMENT-DECISION — treatment investment approval or decline
INCIDENT-DECISION — management decision made during or after incident
CMMC-AFFIRMATION — senior official affirmation signed
DEFSTAN-NOTIF — contracting authority notification approved
SCOPE-CHANGE — ISMS scope change approved
MGMT-REVIEW — annual management review held
BRIEFING — management briefing completed (e.g. CMMC briefing)
| Date | Action type | Description | Authority |
|---|---|---|---|
| [Date] | POLICY-APPROVAL | Policy 01 (Information Security Policy) v[N] approved for [YYYY] | [Director Name, Role] |
| [Date] | CMMC-AFFIRMATION | Annual CMMC self-assessment affirmed; SPRS score [N] submitted | [Director Name, Role] |
| [Date] | MGMT-REVIEW | Annual management review held — [N] attendees; minutes filed EV-A01 | [CISO Name] |
| [Date] | RISK-ACCEPTANCE | RISK-[YYYY]-[NNN] formally accepted at High rating — [brief rationale] | [Director Name, Role] |
| [Date] | INVESTMENT-DECISION | Proposal REF-[YYYY]-[NN] approved at £[X] — [brief description] | [Director Name, Role] |
Version and review
| Version | Date | Prepared by | Approved by | Key changes |
|---|---|---|---|---|
| 1.0 | [DATE] | CISO | [Director Name] | Initial publication |
Page owner: CISO · Review cycle: Annual (at management review) · SCM: isms-management · Questions: [ciso@organisation.com]