Which of the following indicates management's dedication to information security as a continuous effort?

The option that indicates management's commitment to information security as a continuous effort is promoting continual improvement of the Information Security Management System (ISMS). This approach aligns with the core principles of ISO 27001, which emphasize that an effective ISMS is not static but should adapt and evolve over time to address new threats, vulnerabilities, and changes in the organization or its operating environment.

Promoting continual improvement involves regular reviews, audits, and updates to security practices, policies, and procedures to ensure they remain effective and relevant. This process helps the organization to not only comply with standards but also to proactively manage risks and respond to new challenges in information security. Management’s engagement in these activities demonstrates a culture of security awareness and accountability, fostering a proactive rather than reactive stance towards information security.

In contrast, options such as implementing the ISMS once without review, assigning security tasks solely to IT, or adding annual training without follow-up do not embody a commitment to ongoing information security efforts. These approaches suggest a limited or superficial engagement with information security practices, lacking the necessary proactive measures to maintain and enhance the security posture over time.