Information Security Management

ISO 27001 People Controls Explored

The “people” controls of ISO 27001 form a small, but important part of Annex A.

They address the human side of information security — from screening and awareness to managing access and disciplinary processes, ensuring that everyone with access to information understands their responsibilities and behaves securely.

Tools & Services ← Back to controls overview

Select a control family to explore it in more detail

Organisational
Controls People
Controls Phyiscal
Controls Technological
Controls

See a list of all the controls of Annex A

ISO 27001 Annex A People Controls Explained In 3 Minutes

What Are People Controls in ISO 27001?

People controls are the behavioural and responsibility-based safeguards in Annex A.
They help ensure that employees, contractors, and suppliers act securely and follow the rules that keep information protected.

While technology and policies matter, human error remains the top cause of security incidents — which is why People Controls are vital for a functioning ISMS.

< Back to my Annex A Overview

How ISO 27001 People Controls Fit into Annex A

ISO 27001:2022 defines 8 People Controls (A.6.1 to A.6.8) within the overall 93 controls of Annex A.

They sit alongside three other control themes:

Organisational – management and governance processes (this page)
Physical – premises and equipment
Technological – systems and infrastructure

Together, these address the people, process, and technology layers of security.

The specific controls you apply — and how — are documented in your Statement of Applicability.

How the ISO 27001 people controls relate to the other control families in Annex A

Control List (6.1 – 6.8)

Below is a complete list of the People controls, each linking to its own detailed explanation and examples.

6.1 – Screening

6.2 – Terms and conditions of employment

6.3 – Information security awareness, education and training

6.4 – Disciplinary process

6.5 – Responsibilities after termination or change of employment

6.6 – Confidentiality or non-disclosure agreements

6.7 – Remote Working

6.8 – Information Security Event Reporting

ISO 27001 Full Document Toolkit

Every document your auditor
expects to see.

130 Word & Excel templates, ready to edit. Policies, risk register, Statement of Applicability, audit pack, staff communications — all updated for ISO 27001:2022.

130 templates

Instant download

Written by practising consultant

ISO 27001:2022

The Importance of People Controls in 27001

So, why have “people” controls? Well, the benefits include;

People are both your strongest defence and biggest vulnerability.
Embedding awareness reduces accidental data loss and phishing incidents.
HR-linked controls show that your ISMS is cultural, not just technical.
They support compliance with privacy laws (GDPR, Data Protection Act) by ensuring everyone handles data responsibly.

Any glance at the newspaper headlines indicates why having strong controls around people and training is so important – At the heart of so many ransomware attacks that have had major disruptions to local and global businesess, the human aspect has been the weakest link.

Check out some of the other control families here;

FAQ: Organisational Controls

Are People Controls mandatory for certification?

Yes – every organisation must assess and apply them as part of its SoA. It would be hard to justify excluding any of them.

Who is responsible for these controls?

It very much depends on the style, size and nature of your business, but usually HR, supported by IT, Legal, and Information Security teams.

How often should awareness training be run?

At least annually, with refreshers after major incidents or policy updates.

Do remote workers fall under these controls?

Yes – A.6.7 explicitly covers remote working requirements.

Start with the free templates

Includes all the mandatory document templates — free, no commitment