Section 6: ISO 27001 Annex A People Controls
In any organisation, the human element is both a critical asset and a potential vulnerability in information security. Section 6 of ISO 27001:2022, titled "People Controls," recognises this duality and focuses on establishing robust practices to manage and mitigate risks associated with personnel.
This section ensures that individuals interacting with the organisation’s information assets are carefully vetted, adequately informed, and held accountable for their roles in protecting those assets.
The controls outlined in this section address key areas such as screening candidates, defining the security responsibilities within employment contracts, and providing continuous education and awareness on information security. Additionally, it emphasises the importance of disciplinary measures, the secure handling of information post-employment, and confidentiality protection through non-disclosure agreements.
With the increasing prevalence of remote working, this section also underscores the need for tailored security measures to safeguard information outside traditional office environments. Lastly, it establishes the importance of having clear channels for reporting information security events, ensuring that potential threats are promptly identified and managed.
By implementing the ISO 27001 Annex A people controls, businesses can significantly reduce the risks posed by human factors, fostering a culture of security awareness and responsibility across all workforce levels. This proactive approach is essential in maintaining information integrity, confidentiality, and availability in an increasingly complex and interconnected digital landscape.
6.1 Screening
Purpose
Screening is a crucial step in ensuring that individuals with access to sensitive information are trustworthy and fit to uphold the organisation’s security standards.
Background verification checks help identify potential risks for new hires or personnel accessing critical systems and data.
These checks may include verifying the candidate’s identity, employment history, educational qualifications, and criminal records.
This control's purpose is to mitigate the risks posed by insider threats, fraud, or other malicious activities that could harm the organisation.
Implementation
Organisations should establish a comprehensive background verification process for all potential hires to implement effective screening procedures. This process should be aligned with applicable laws, regulations, and ethical considerations, ensuring that candidates' privacy and rights are respected.
The screening level should be proportional to the role’s responsibilities and the sensitivity of the information the candidate will access.
For example, individuals accessing classified or highly sensitive information may require more thorough checks, including financial background checks or security clearances.
Organisations should also consider implementing ongoing screening for current employees, especially when they are promoted to positions with higher access privileges.
Documentation of the screening process should be maintained, and any red flags identified during screening should be thoroughly investigated before hiring decisions are made.
6.2 Terms and Conditions of Employment
Purpose
The terms and conditions of employment are foundational documents that outline the mutual responsibilities of the organisation and its employees concerning information security. This control ensures that employees know their obligations to protect the organisation’s information and understand the consequences of failing to comply with security policies.
Organisations can set clear expectations by including information security responsibilities in employment contracts and creating a legally binding agreement that holds employees accountable for their actions.
Implementation
To implement this control, organisations should revise their employment contracts and explicitly state the employees’ responsibilities regarding information security.
These responsibilities may include adhering to the organisation’s security policies, reporting incidents, and protecting confidential information.
The contracts should also outline the organisation’s commitment to providing a secure working environment and the measures it will take to protect its information assets.
Employees should acknowledge and sign these terms as part of the onboarding process.
Additionally, the organisation should periodically review and update the terms and conditions to reflect changes in security policies, legal requirements, or the operational environment.
Clear communication of these terms during onboarding and through regular training can reinforce the importance of information security within the organisation.
6.3 Information Security Awareness, Education, and Training
Purpose
This control ensures that all personnel and relevant interested parties are adequately informed, educated, and trained on the organisation’s information security policies, procedures, and best practices.
Regular updates to this training ensure that employees remain aware of new threats, technologies, and changes in the organisation’s security landscape.
The ultimate goal is to create a security-conscious culture where everyone understands their role in protecting the organisation’s information assets.
Implementation
To implement effective information security awareness, education, and training programs, organisations should first identify the specific training needs of their employees based on their roles and responsibilities.
Training should cover the organisation’s security policies, threat awareness, safe handling of sensitive information, and procedures for reporting security incidents.
Training programs should be mandatory for all employees and provided regularly, with additional sessions when policies or the threat landscape are significantly updated. Interactive training methods, such as simulations, workshops, and e-learning modules, can enhance engagement and retention.
The organisation should also measure the effectiveness of its training programs through assessments, feedback, and tracking compliance.
Regular updates to training content ensure that it remains relevant and aligned with the latest security trends and organisational needs.
6.4 Disciplinary Process
Purpose
A formalised disciplinary process is essential for enforcing the organisation’s information security policies and deterring violations. This control ensures that there are clear, consistent, and fair procedures in place to address non-compliance with security policies, whether intentional or accidental.
This control's purpose is to reinforce the importance of following security protocols and mitigate risks by taking appropriate action against those who fail to adhere to them.
Implementation
To implement this control, organisations should develop a clear disciplinary process that outlines the steps to be taken when an employee violates information security policies.
This process should include a range of disciplinary actions, from verbal warnings and mandatory retraining to suspension or termination, depending on the severity of the violation.
The organisation should ensure that this process is documented and communicated to all employees as part of the onboarding process and through regular training.
It is also important to apply the disciplinary process consistently across the organisation to avoid perceptions of bias or unfair treatment. In addition to punitive measures, the organisation should use incidents as learning opportunities to reinforce the importance of security and prevent future violations.
6.5 Responsibilities After Termination or Change of Employment
Purpose
This control addresses the ongoing responsibilities related to information security that persist even after an employee leaves the organisation or changes roles.
It is critical to ensure that former employees or those who have moved to different roles within the organisation do not retain access to sensitive information or systems no longer relevant to their responsibilities. This control is vital for protecting the organisation from potential data breaches, unauthorised access, or misuse of information by former employees.
Implementation
Organisations should establish procedures for managing information security responsibilities after an employee’s termination or role change to implement this control. This includes promptly revoking access to systems, retrieving company assets, and ensuring that any confidential information in the employee’s possession is returned or securely destroyed.
The organisation should also communicate any continuing obligations related to confidentiality or non-disclosure that persist after employment ends.
These procedures should be part of the exit process and documented to ensure consistency and accountability.
Access rights should be reviewed and adjusted for employees changing roles within the organisation to match their new responsibilities, with any unnecessary access promptly revoked. Regular audits should be conducted to verify that these processes are being followed effectively.
6.6 Confidentiality or Non-Disclosure Agreements
Purpose
Confidentiality or non-disclosure agreements (NDAs) protect sensitive information from unauthorised disclosure. These agreements legally bind employees, contractors, and other relevant parties to maintain the confidentiality of the organisation’s information during and after their engagement.
This control aims to safeguard proprietary information, intellectual property, trade secrets, and any other confidential data that could harm the organisation if disclosed.
Implementation
To implement this control, organisations should require all employees, contractors, and other relevant parties to sign confidentiality or non-disclosure agreements as a condition of their employment or engagement. These agreements should clearly define what constitutes confidential information and outline the signatory's obligations regarding its protection.
The agreements should also specify the duration of the confidentiality obligations, which often extend beyond the term of employment or contract.
The organisation should regularly review and update NDAs to reflect current legal requirements and needs.
Legal counsel should be involved in drafting and reviewing these agreements to ensure they are enforceable and provide adequate protection.
The organisation should also enforce these agreements, taking legal action to address any breaches.
6.7 Remote Working
Purpose
The rise of remote working introduces new challenges for maintaining information security as employees access, process, and store information outside the traditional organisational environment. This control focuses on implementing security measures to protect information when personnel work remotely, ensuring that the organisation’s information security posture remains robust regardless of where employees are located.
Implementation
To implement this control, organisations should establish a remote working policy that outlines the security measures employees must follow when working outside the office. This policy should include requirements for secure access to the organisation’s network, such as using virtual private networks (VPNs), multi-factor authentication (MFA), and encryption for data transmission.
Employees should be provided with secure devices configured with the necessary security controls, such as firewalls, antivirus software, and automatic updates.
The organisation should also offer guidance on the safe handling of physical documents and the secure disposal of sensitive information.
Regular training and awareness programs should be conducted to ensure employees understand the security risks associated with remote working and know how to mitigate them.
Monitoring and incident response procedures should be adapted to accommodate the remote working environment, ensuring that any security incidents are detected and addressed promptly.
6.8 Information Security Event Reporting
Purpose
Timely and accurately reporting information security events is critical for responding effectively to potential threats and preventing security incidents from escalating. This control ensures that personnel have a clear mechanism for reporting observed or suspected security events, such as suspicious activity, data breaches, or policy violations.
This control's purpose is to enable the organisation to detect and respond to security events quickly, minimising their impact on operations.
Implementation
To implement this control, organisations should establish a clear and accessible reporting mechanism for information security events. This could include a dedicated hotline, an email address, or an online reporting form.
Employees should be trained to recognise potential security events and understand the importance of reporting them immediately. The reporting mechanism should be designed to protect the reporter's confidentiality and ensure that all reports are treated seriously and investigated promptly.
The organisation should also establish procedures for triaging and responding to reported events, ensuring that critical incidents are prioritised and handled by the appropriate personnel.
Regular reviews of the reporting process should be conducted to ensure it remains effective and that any barriers to reporting are addressed.
Comments