ISO27002:2022 explained – People controls

In this article, we explain the new ISO 27002:2022 chapter 6 – People controls. This covers the controls required for secure human resources management. This is the second article in a series of four, each article covering one chapter:

1. Organization controls (chapter 5)
2. People controls (chapter 6) – This article
3. Physical controls (chapter 7)
4. Technological controls (chapter 8)

In the previous version, ISO 27002:2013, many of these controls were to be found in chapter 7, Human Resources. Those familiar with the 2013 version, will find a few new controls in this version. A detailed explanation of the previous controls can be found in this blog post.

Screening (6.1)

An information security management system needs a policy for screening all new or promoted employees, including consultants and temporary staff. This is to ensure that employees are competent and trustworthy. The policy needs to take into account both local legislation and regulations and the role of the new employee to insure that screening is sufficient but not disproportionate. Some roles within an organisation may require a higher level of screening, for example if employees will be handling confidential information. For information security roles in particular, screening should also include necessary competences and trustworthiness, and this should be documented accordingly.

Terms and conditions of employment (6.2)

Before beginning work, the employee needs to be aware of the organisation’s information security policy, including information security roles and responsibilities. This could be communicated via a signed code of conduct or similar method. The employees’ contracts should also include the organisation’s relevant information security policy, including a confidentiality agreement if the employee will be have access to confidential information.

Information security awareness, education and training (6.3)

Employees need information security training when they join the organisation of change roles. Longer serving personnel also need to have their awareness maintained with regular training and communication. The training needs to be relevant to the role. For many staff, this will include basics such as reminders about password security and social-engineering attacks. For technical staff or those handling confidential material more in-depth education will be required for their specific role.

Disciplinary process (6.4)

A policy for the disciplinary process following a confirmed information security policy violation should be in place. The disciplinary procedure should be proportionate and graduated, with actions that depend on the severity of the incident, the intention, whether it was a repeat offence and importantly whether the employee was adequately trained. Many recorded security incidents will be the result of a policy violation and should to lead to disciplinary action. This is important to remember because staff should avoid reporting security incidents through fear of disciplinary action.

Responsibilities after termination or change of employment (6.5)

Information security responsibilities do not end when employment is changed or terminated. The employee’s terms and conditions of employment should contain confidentiality agreements, which require the employee to respect the confidentiality of information after they have left the organisation. When an employee leaves, they may also leave information security roles vacant. To maintain continuity of security, management must identify these roles so that they can be transferred.

Confidentiality or non-disclosure agreements (6.6)

If the confidentiality of information is sufficiently high, it may need to be protected by legally enforceable terms. In this case, confidentiality agreements can be used, setting out the information covered, the responsibilities of all parties, the duration of the agreement and the penalties should the agreement be broken. These protect the information from disclosure after the employee has left the organisation for a given time period.

Remote working (6.7)

Remote working has become standard at many organisations, giving both organisations and employees more flexibility. There are however information security implications for remote working, which should be considered and documented. The remote working policy should outline where and when remote working in permitted, device and equipment provision, authorised access and what information may be accessed remotely. Of particular importance are policies governing the use of strange networks and the risk that friends, family or strangers may overhear or see confidential information.

Information security event reporting (6.8)

Employees sometimes encounter information security incidents during their daily work. Incidents can instances such as include human errors, confidentiality breaches, malfunctions, suspected malware infections and non-compliance with the IS policy or the law. The first step in identifying, fixing and preventing incident reoccurrence is reporting. Employees therefore need a reporting channel and to be aware of its existence.

Each control measure in ISO 27002:2022 has guidance and implementation suggestions beyond what is summarised in this article. For further information, we therefore recommend reading the norm itself. For a summary of the other chapters in ISO 27002:2022, please visit out blog posts on chapter 5 – organisational controls, chapter 7 – physical controls and chapter 8 – technological controls.

Questions or help needed in implementing controls? Get in touch with our consultants!

Image credit: Marvin Meyer @marvins_memories via Unsplash