ISO27001 explained – A6 People controls

In this article, we explain the new ISO 27002:2022 chapter 6 – People controls. This covers the controls required for secure human resources management. This is the second article in a series of four, each article covering one chapter:

1. Organization controls (chapter 5)
2. People controls (chapter 6) – This article
3. Physical controls (chapter 7)
4. Technological controls (chapter 8)

In the previous version, ISO 27002:2013, many of these controls were to be found in chapter 7, Human Resources. Those familiar with the 2013 version, will find a few new controls in this version. A detailed explanation of the previous controls can be found in this blog post.

Learn faster on our YouTube channel

You can also learn how to implement organizational controls directly from our full ISO 27001 course on YouTube. Discover the other chapters on our YouTube channel that covers all the ISO27001 series.

Implementing People Controls

Annex A6 focuses on reducing people-related security risks: mistakes, lack of awareness, and malicious insider behaviour. The controls are intended to function largely through HR and line management, with information security providing templates, rules, and monitoring evidence.

A practical way to implement A6 is to maintain an ‘Information Security Rules’ document together with evidence:

• An ‘Information Security Rules’ or ‘Acceptable Use’ document for all staff written in plain language, with mandatory rules and explaining what tools to use or not use, including when to contact IT/CISO) – you can find most of the rules implemented in our template
• HR templates and checklists (screening steps, job listing template, contract clauses, onboarding/offboarding checklists).
• Evidence (attendance lists, signed contracts/acknowledgements, completed offboarding records, event reports).

If you want to create staff IS rules from scratch, we advise to organize a first meeting with staff representatives in workshop fashion to understand how staff actually work. Here you describe why these rules are necessary for information security and the related risks and controls. As a CISO, be careful of to first collect input on how the company works and then proceed with designing the rules. Once the IS rules template is ready, let the management approve it.

Rolling out new rules requires you to start from a finalized, company-wide available rules document. A smart way to introduce a new rule is to include it in the next security awareness training. This way, colleagues can ask questions and you check if they understand the new rule. Do not forget to propagate the changed IS rules to HR templates, e.g., for new contracts. To propagate the new rules to existing staff, include the updated rules to be signed at a contract renewal or at the next raise.

Screening (6.1)

An information security management system (ISMS) needs a policy for screening all new or promoted employees, including consultants and temporary staff. This is to ensure that employees are competent and trustworthy. The policy needs to take into account both local legislation and regulations and the role of the new employee to insure that screening is sufficient but not disproportionate. In practice, assign ownership to HR/hiring manager and integrate screening in the existing hiring process. Some roles within an organisation may require a higher level of screening, for example if employees will be handling confidential information (e.g., VOG in the Netherlands). You can extend the this with other means, such as saving a copy of the diploma. For information security roles in particular, screening should also include necessary competences and trustworthiness, and this should be documented accordingly.

Evidence: Screening procedure (per role category) + at least one completed screening record. Make sure to explicitly define in the IS team role requirements (e.g. in IS procedures, or separate document) and be able to demonstrate the requirements check during the audit.

Terms and conditions of employment (6.2)

Before beginning work, the employee needs to be aware of the organisation’s information security policy, including information security roles and responsibilities. This could be communicated via a signed IS rules, acceptable use or code of conduct. The employees’ contracts should point to the IS rules, including a confidentiality agreement if the employee will be have access to confidential information. Use our template to implement this.

Evidence: an example of signed contract referencing the rules and signed IS rules

Information security awareness, education and training (6.3)

Employees need information security training when they join the organisation or change roles. Longer serving personnel also need to have their awareness maintained with regular training and communication. The training needs to be relevant to the role. For many staff, this will include basics such as reminders about password security and social engineering attacks. For technical staff or those handling confidential material more in-depth education will be required for their specific role (e.g., developers should get an additional development-focused training opportunity). In practice, create a Security Awareness presentation to brief during onboarding and annual refresher. Make sure to update it every year with concrete examples from the real-world.

Evidence: training session agenda with attendance list (yearly and onboarding checklist)

Disciplinary process (6.4)

A policy for the disciplinary process following a confirmed information security policy violation should be in place. The disciplinary procedure should be proportionate and graduated, with actions that depend on the severity of the incident, the intention, whether it was a repeat offence and importantly whether the employee was adequately trained. Many recorded security incidents will be the result of a policy violation and should to lead to disciplinary action. Clarify that reporting events/incidents is expected and not automatically punitive.

Evidence: IS rules containing explicit disciplinary actions

Responsibilities after termination or change of employment (6.5)

Information security responsibilities do not end when employment is changed or terminated. The employee’s terms and conditions of employment should contain confidentiality agreements, which require the employee to respect the confidentiality of information after they have left the organisation. When an employee leaves, they may also leave information security roles vacant. To maintain continuity of security, management must identify these roles so that they can be transferred. Ensure the employment contract explicitly states confidentiality obligations continue after employment ends. On top of the confidentiality reminder in the offboarding checklist, add reminders about handing in assets and revoking access rights.

Evidence: a signed contract, an offboarding checklist completed for at least one leaver

Confidentiality or non-disclosure agreements (6.6)

The confidentiality of information needs to be protected by legally enforceable terms. In this case, confidentiality agreements should be used, setting out the information covered, the responsibilities of all parties, the duration of the agreement and the penalties should the agreement be broken. These protect the information from disclosure after the employee has left the organisation for a given time period. In practice, create an employment (and a freelancer) contract template with a non-disclosure clause that covers the exit as well.

Evidence: employment contract template and/or signed example

Remote working (6.7)

Remote working has become standard at many organisations, giving both organisations and employees more flexibility. There are however information security implications for remote working, which should be considered and documented. The remote working policy should outline where and when remote working in permitted, device and equipment provision, authorised access and what information may be accessed remotely. Of particular importance are policies governing the use of unknown networks and the risk that information may spill out to the private sphere of the employee. In practice, explicit remote working rules should be part of the IS rules, making sure to cover private and public spaces and what mitigations to use (e.g., VPNs or screen protectors).

Evidence: your IS rules document

Information security event reporting (6.8)

Employees sometimes encounter information security events during their daily work. Such events can become security incidents due to human errors, confidentiality breaches, malfunctions, suspected malware infections and non-compliance with the IS policy or the law. The first step in identifying, fixing and preventing incident reoccurrence is reporting. Employees therefore need a reporting channel and to be aware of its existence as part of the IS rules and awareness training. Use the ‘event’ language: ask staff to report anything suspicious/incorrect and make it easy; the security team decides later whether it is an incident.

Evidence: example of report or a security reporting channel screenshot (security@, ticket category, Teams channel).

A5 and A7 controls to include in the staff IS rules

There are some people-related controls in chapter A5 (organizational controls) and A7 (physical controls) that are more convenient to implement in the IS rules document. This is a handy summary, but check the relevant article for the full explanation.

Classification of information (5.12)

Since you have to communicate to everyone the classification rules, it makes sense to include the confidentiality labels in your Is rules document. Define 3-4 classes of confidentiality levels (i.e., labels: public, internal use only and confidential) in your IS rules document, including who can access, where it may be stored and how to share.

Labelling of information (5.13)

Describe in the IS rules how to apply the confidentiality labels, i.e., unlabeled document default classification (e.g., confidential) and where to apply in the document (e.g. title page, headers or footers) or other artefacts (metadata like filenames or tags on cloud CMSs).

Acceptable use of information and other associated assets (5.10)

Implement first the above 5.12 and 5.13 controls to have a confidentiality level labeling procedure in place. Document clear rules for accessing and handling information assets based on confidentiality classification levels, including how to store, share, transmit, and physically secure them.

Return of assets (5.11)

In your staff rules document, define clear protocols for sharing information across all channels (digital, physical, verbal for confidential information), specifying approved communication tools and handling rules to reduce leakage risks.

Intellectual property rights (5.32)

Document in the staff rules the ownership and permitted use of text and media, the rules on copyright, attribution, and the prohibition of pirated software.

Clear desk and clear screen (7.7)

Reduce unauthorized access by enforcing clear desk and clear screen rules, including automatic locked screens and no unattended printed documents on desk, as part of the staff IS rules.

Each control measure in ISO 27002:2022 has guidance and implementation suggestions beyond what is summarised in this article. For further information, we therefore recommend reading the norm itself. For a summary of the other chapters in ISO 27002:2022, please visit out blog posts on chapter 5 – organisational controls, chapter 7 – physical controls and chapter 8 – technological controls. Also, check our YouTube channel.

Questions or help needed in implementing controls? Get in touch with our consultants!

Image credit: Marvin Meyer @marvins_memories via Unsplash