Management should require all personnel to apply information security according to the organization’s established information security policy, topic-specific policies, and procedures. ISO/IEC 27002 makes management responsibilities clear: leadership must ensure personnel understand and fulfill their security duties. Personnel are expected to follow approved policies and procedures, protect information assets, report security events, and comply with assigned responsibilities. Option B is incorrect because establishing and approving policies is a management responsibility, not a duty assigned to all personnel. Option C is incorrect because reading ISO/IEC 27002 guidelines is not a substitute for following the organization’s own approved policies and procedures. ISO/IEC 27002 provides guidance to organizations, but employees need practical internal rules that apply to their roles, systems, data, and processes. Management commitment is demonstrated by assigning responsibilities, communicating expectations, providing awareness and training, and enforcing compliance. The core principle is that information security must be operationalized through everyday behavior, not left as abstract documentation. Therefore, option A is the verified answer. References/Chapters: ISO/IEC 27002:2022, Control 5.4 Management responsibilities; Control 5.1 Policies for information security; Control 6.3 Information security awareness, education and training.

==========