ISO 27001 Annex A outlines a comprehensive set of security controls to help organisations build and maintain a robust Information Security Management System (ISMS). Among these, the “People Controls” group focuses specifically on the human aspect of information security — ensuring that employees, contractors, and other stakeholders understand their responsibilities and act in a way that protects sensitive information.
ISO 27001 People Controls are designed to reduce risks caused by human error, negligence, insider threats, and lack of awareness. Since even the best technical and physical security measures can be compromised by human behaviour, building a strong culture of information security among your people is critical.
Select a control family to learn more.
Read More…
Contents
What Are ISO 27001 People Controls?
People controls are measures that address how individuals interact with information systems and processes. They are about ensuring that the right people are recruited, trained, managed, and supported to uphold information security standards throughout their time with the organisation — and even after they leave.
These controls help prevent security breaches caused by accidents, poor judgment, or malicious intent.
Why Are People Controls Important in ISO 27001?
People are often cited as the “weakest link” in information security. Mistakes like clicking on phishing emails, using weak passwords, or mishandling sensitive documents can lead to serious incidents.
By implementing effective People Controls, organisations can:
- Reduce the likelihood of accidental or deliberate breaches
- Build a culture of security awareness and accountability
- Ensure that staff understand their security responsibilities
- Manage security risks throughout the employee lifecycle (hire to exit)
Well-implemented People Controls strengthen every other aspect of the ISMS by making security an everyday priority for everyone.
Key Areas Covered by ISO 27001 People Controls
The People Controls group in ISO 27001 Annex A includes several critical practices:
1. Screening (A.6.1)
- Conducting background checks and verifying qualifications for individuals in sensitive roles.
2. Terms and Conditions of Employment (A.6.2)
- Including information security responsibilities in employment contracts and agreements.
3. Information Security Awareness, Education, and Training (A.6.3)
- Providing regular training and awareness programs to all personnel.
4. Disciplinary Process (A.6.4)
- Establishing consequences for breaches of information security policies.
5. Responsibilities After Termination (A.6.5)
- Ensuring that former employees or contractors cannot access sensitive systems or information after they leave.
Each of these areas plays a role in managing human-related risks to information security.
Examples of ISO 27001 People Controls in Practice
Here are some practical examples of how organisations implement People Controls:
- Pre-employment screening: Checking criminal records and references for employees handling sensitive data.
- Security clauses in contracts: Including confidentiality and data protection requirements in employment terms.
- Mandatory security training: Delivering annual training sessions and phishing simulations.
- Clear disciplinary policies: Defining the consequences of negligent or malicious security actions.
- Exit procedures: Revoking system access and recovering ID cards, laptops, and mobile devices when staff leave.
These measures create a secure human environment that supports and reinforces technical and organisational protections.
How to Implement People Controls for ISO 27001
To implement People Controls effectively:
- Establish Pre-employment Checks
- Define screening processes based on role sensitivity.
- Integrate Security into Employment Terms
- Update contracts to include security responsibilities and expectations.
- Deliver Ongoing Awareness Training
- Regularly educate staff about threats, best practices, and updates to policies.
- Define a Disciplinary Framework
- Create clear procedures for addressing security breaches or misconduct.
- Plan Secure Exit Processes
- Ensure that offboarding procedures remove all access and recover sensitive assets.
- Monitor and Refresh Initiatives
- Continuously review and improve training programs and HR processes based on feedback and emerging risks.
Common Challenges with People Controls
Implementing People Controls can be challenging due to:
- Lack of engagement from employees or managers
- Keeping training relevant and up to date
- Managing access rights and confidentiality for contractors and third parties
- Ensuring consistent offboarding practices
Overcoming these challenges requires strong collaboration between HR, IT, and Information Security teams, supported by a top-down commitment to security culture.
Further Reading
Check out this post on the ISO 27001 Controls list from BSI
