Which action is NOT representative of management commitment to information security?

Delegating all security tasks to lower management does not represent management commitment to information security for several reasons. True commitment involves active engagement from top management in establishing, promoting, and supporting the Information Security Management System (ISMS).

When management is actively involved, they set the tone for the importance of information security across the organization, which includes participating in discussions about security objectives, conducting risk assessments, and ensuring that there are adequate resources allocated to security initiatives. This involvement helps to create a security culture that prioritizes safeguarding information assets.

In contrast, simply delegating security responsibilities to lower management without any oversight or involvement from higher levels can lead to disjointed efforts, a lack of accountability, and communication breakdowns. It might give the impression that security is not a priority for the organization as a whole, undermining the purpose of the ISMS.

To truly embody management commitment, it is essential for leaders to consistently apply the ISMS in everyday activities, communicate its significance throughout the organization, and integrate security measures into broader company processes. This comprehensive approach fosters a more secure environment and reinforces the organization's dedication to protecting its information assets.