ISO 27001 Information Security - Annex A 6 People Controls
18th April 2023 - ISO 27001 Information Security in plain English - Post #19 in the series.
ISO 27001 - Annex A 6 People Controls
Something that sets ISO 27001 apart from all the other ISO management system standards is its Annex A. This is a table of controls that are derived from the detailed guidelines published in ISO 27002 (which provides a reference and guidance on information security).
What is a control? A control is defined by ISO as a measure that modifies or maintains risk. Those measures might include policies, processes, practices, devices or other conditions or actions.
There are 93 controls specified in Annex A, and they are spread over 4 categories - each of which deals with a different facet of information security. Annex A is actually longer than the regular clauses.
In the previous article in this series, we looked at the first category in Annex A - 5: Organizational controls. In case you are wondering why that first category was numbered as 5, it's to maintain numbering compatibility with ISO 27002. That is a very handy reference standard for determining and implementing risk treatment controls in an ISMS.
This article is about Annex A 6 People controls. A 6 is a relatively small category with just 8 controls. For the convenience of those looking to update their ISMS from the previous version of ISO 27001, we have included the relevant control numbers from that standard in brackets. Here goes...
This article on Annex A 6 People Controls is based on an extract from the Guide Book in the Qudos ISO 27001 InfoSec Toolkit - exclusively available as an integrated component of Qudos 3 software.
Annex A 6.1 Screening (7.1.1)
Controls implemented prior to commencing employment would include appropriate background checks and ensuring that contracts of employment / engagement are clear about information security responsibilities. Of course, the extent of those background checks and other controls will vary depending on the nature of the organization's business and the role in question.
Background checks on candidates for employment should be commensurate with legal and regulatory requirements, any other compliance obligations, ethical and business considerations, and the level of risk associated with their role and access to information.
Annex A 6.2 Terms and conditions of employment (7.1.2)
Management has a responsibility to ensure that people are aware of and fulfill their information security responsibilities. Requirements may be expressed in policies and procedures, and also more generally in job descriptions and contracts that set out the terms and conditions of employment / engagement. Confidentiality / Non-disclosure agreements may form part of contract documents. Alternatively, they may be separate documents which offers the flexibility of being used in non-contractual situations e.g. when collaborating with other organizations in a projects. Signing or otherwise assenting to such agreements would normally take place at the start of (or even prior to) commencement of employment or contract.
For small business employers in Australia, there is a employment contract tool available at the Federal Government web site employ.business.gov.au. This handy tool helps employers to make a basic employment contract that complies with workplace laws. You may use it to create a contract for an employee under the national industrial relations system. You can use it for full-time, part-time and casual employees to whom a modern award applies. However, there are some types of workers for whom the tool isn't suitable. Visit the site for details.
Annex A 6.3 Information security awareness, education and training (7.2.2)
There needs to be a continual program of providing awareness and training,
and generally keeping people up-to-date with any changes to policies, procedures, methodologies, risks etc.
Some typical examples of ongoing information security awareness, education and training might include:
- Team briefings.
- Computer-based information security awareness training.
- Simulated phishing exercises.
- Cyber security alerts.
Annex A 6.4 Disciplinary process (7.2.3)
A formal disciplinary process must be established and communicated regarding action to be taken against workers who have committed an information security breach. The process should ensure that
there is both correct and fair treatment for workers who are suspected of committing an information security breach. It should also provide for a appropriately graduated response that takes into consideration relevant factors.
Annex A 6.5 Responsibilities after termination or change of employment (7.3.1)
The organization also needs to confirm how information will be protected when workers have a change of role or if a person's employment is terminated. Contracts and confidentiality agreements may stipulate what
responsibilities remain after termination, but it can be useful to include reminders as part of the termination or off-boarding process.
It is essential that the off-boarding process ensures the prompt and sure
removal of physical and / or logical access to information assets.
Annex A 6.6 Confidentiality or non-disclosure agreements (13.2.4)
Organizations should consider the implementation of NDAs (Non-Disclosure Agreements) and Confidentiality agreements in employment and other contracts. Such clauses may be necessary in situations where the data is governed by legal and regulatory requirements. For example, by EU or UK GDPR (General Data Protection Regulations) for personal data.
Annex A 6.7 Remote working (6.2.2)
The previous version of ISO 27001 used the term 'Teleworking' but has now changed to what was already the more popular term of 'Remote working'. Other related terms that are also in common use are WFH (Working From Home), or WFA (Work From Anywhere). This illustrates the fact that your ISMS doesn't have to employ the same terminology as ISO 27001. It's more important that the wording in your documents is meaningful to those involved in your business.
While not a specified required of ISO 27001, a typical solution to addressing this requirement would include a documented policy, supported by an assessment checklist and awareness training.
Annex A 6.8 Information security event reporting (16.1.2 / 16.1.3)
An information security event can:
- Be one or more occurrences.
- Have several causes.
- Consist of something not happening. That would perhaps be most relevant when the event was expected to occur.
- Sometimes be referred to as an "incident".
All workers should be made aware of their responsibility to promptly report any information security events or suspected breaches.
This article on Annex A 6 People Controls is based on an extract from the Guide Book in the Qudos ISO 27001 InfoSec Toolkit - exclusively available as an integrated component of Qudos 3 software.
That concludes our brief introduction to ISO 27001 Annex A 6 People Controls. The next article in this series will look at Annex A 7 Physical Controls.
Click the LinkedIn Follow button below to receive notification.
There's nothing like word of mouth to share creative content. So, if you found this blog informative, please share it with a colleague or business associate.
About the series 'ISO 27001 Information Security in plain English'
This blog post is part of a series where we will work through all the clauses and controls in ISO 27001. A great starting point for developing your ISMS.
This blog series began with an introductory webinar. A copy of the slide deck is available for you here:
Qudos_ISO_27001 Information_Security_in_plain_English (PDF)
Now updated for the latest version of the standard - ISO 27001:2022.