People Controls (A.6)

People are both your greatest asset and your greatest risk. Annex A.6 contains 8 controls focused on ensuring personnel understand their responsibilities and are trustworthy throughout the employment lifecycle.

Overview of People Controls

ISO 27001:2022 Annex A.6 covers:

A.6.1 Screening
A.6.2 Terms and conditions of employment
A.6.3 Information security awareness, education and training
A.6.4 Disciplinary process
A.6.5 Responsibilities after termination or change of employment
A.6.6 Confidentiality or non-disclosure agreements
A.6.7 Remote working
A.6.8 Information security event reporting

These controls manage the human element of security from hiring through termination.

A.6.1 - Screening

Purpose: Verify the background of candidates before granting access to sensitive information.

Control Statement: "Background verification checks on all candidates for employment shall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks."

Screening Activities

Pre-Employment Screening:

1. Identity Verification

Government-issued photo ID
Social security number verification (where applicable)
Address verification
Right to work documentation

2. Employment History

Verify previous employers
Check employment dates
Confirm job titles and responsibilities
Note reasons for leaving
Identify unexplained gaps

3. Education Verification

Confirm degrees obtained
Verify institutions attended
Check professional certifications
Validate claimed credentials

4. Reference Checks

Professional references (minimum 2-3)
Ask about work performance
Inquire about reliability
Assess character and judgment
Verify no known security issues

5. Criminal Background Check

Jurisdiction-appropriate checks
Consider relevant offenses only
Follow local legal requirements
Document decision rationale
Apply consistently

6. Credit Check

For financial positions
For positions with purchasing authority
Where legally permitted
Assess financial responsibility
Identify potential vulnerability to coercion

7. Social Media Review

Public social media profiles
Professional networking sites
Publicly available information only
Respect privacy boundaries
Note concerning behaviors

Risk-Based Screening Levels

Level 1: Basic Screening For low-risk positions with minimal data access:

Identity verification
Employment history check
Reference checks

Level 2: Standard Screening For positions with regular data access:

All Level 1 checks
Education verification
Criminal background check

Level 3: Enhanced Screening For positions with privileged access or sensitive data:

All Level 1 and 2 checks
Credit check
More extensive criminal check
Security clearance (if required)
Additional references

Level 4: Comprehensive Screening For executive or highly sensitive positions:

All previous checks
International background checks
Financial disclosure
Drug screening (where permitted)
Polygraph (in specific contexts only)

Ongoing Screening

Periodic Re-screening:

Every 3-5 years for sensitive positions
When promoted to higher access
If security concerns arise
Following extended leave
For continued clearance requirements

Legal Considerations

Comply With:

Equal Employment Opportunity laws
Fair Credit Reporting Act (US) or equivalent
Data protection regulations (GDPR, etc.)
Local employment laws
Industry-specific requirements

Best Practices:

Obtain written consent before screening
Use consistent criteria
Make hiring decisions on legitimate business needs
Provide opportunity to explain negative findings
Keep screening records confidential
Document screening decisions

Screening Process

1. Candidate applies
2. Initial screening by HR
3. Candidate provides consent for background check
4. Background check performed
5. Results reviewed
6. Hiring decision made
7. Documentation maintained
8. Onboarding proceeds if approved

A.6.2 - Terms and Conditions of Employment

Purpose: Ensure personnel understand their security responsibilities.

Control Statement: "The employment contractual agreements shall state the personnel's and the organization's responsibilities for information security."

Security Clauses in Employment Agreements

1. Confidentiality Obligations

Employee agrees to:
- Maintain confidentiality of all proprietary information
- Not disclose confidential information to unauthorized parties
- Protect confidential information during and after employment
- Return all confidential information upon termination
- Not use confidential information for personal benefit

2. Acceptable Use

Employee agrees to:
- Use organizational resources for business purposes only
- Comply with Acceptable Use Policy
- Not install unauthorized software
- Not circumvent security controls
- Submit to monitoring of systems and communications

3. Security Responsibilities

Employee agrees to:
- Comply with all information security policies
- Complete required security training
- Report security incidents immediately
- Protect authentication credentials
- Follow security procedures and guidelines

4. Intellectual Property

Employee agrees that:
- Work product belongs to the organization
- Inventions and creations are company property
- No use of third-party IP without authorization
- Organization retains all IP rights

5. Data Protection and Privacy

Employee agrees to:
- Process personal data only as authorized
- Comply with privacy policies and laws
- Protect personal data appropriately
- Report privacy incidents immediately
- Complete privacy training

6. Consequences of Violation

Employee understands that:
- Security policy violations may result in disciplinary action
- Serious violations may lead to termination
- Legal action may be pursued
- Criminal violations will be reported to authorities
- No violation penalty will prevent legal prosecution

7. Post-Employment Obligations

Employee agrees that:
- Confidentiality continues after employment ends
- Company property must be returned
- Passwords and access must be disclosed
- No company information to be retained
- Non-compete and non-solicitation apply (if applicable)

Additional Contract Types

Contractors and Consultants:

Similar security obligations as employees
Non-disclosure agreement (NDA)
Acceptable use requirements
Access termination upon contract end
Third-party liability provisions

Third-Party Agreements:

Master service agreement (MSA)
Statement of work (SOW) with security requirements
Service level agreement (SLA) including security
Right to audit provisions
Incident notification requirements

A.6.3 - Information Security Awareness, Education and Training

Purpose: Ensure all personnel receive appropriate information security awareness, education and training.

Control Statement: "Personnel of the organization and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function."

Security Awareness Program

Program Components:

1. Initial Security Awareness (New Hire) Timing: During onboarding, before system access Duration: 1-2 hours Content:

Information security policy overview
Data classification and handling
Acceptable use requirements
Password and authentication standards
Physical security basics
Incident reporting procedures
Confidentiality obligations

Delivery:

Online training module
Live presentation
Written materials
Acknowledgment signature required

2. Annual Security Awareness Refresher Timing: Annually for all personnel Duration: 30-60 minutes Content:

Policy updates
Current threat landscape
Recent incidents (sanitized examples)
Best practices
New security tools or processes
Regulatory changes

Delivery:

Online course
Video presentations
Interactive modules
Assessment/quiz
Completion certificate

3. Ongoing Awareness Activities Frequency: Monthly or quarterly Methods:

Security newsletters
Tip-of-the-month emails
Posters and signage
Lunch-and-learn sessions
Security awareness month
Simulated phishing exercises
Security trivia contests
Screen savers with security tips

4. Role-Specific Training

Developers:

Secure coding practices
OWASP Top 10
Code review procedures
Secure SDLC
Application security testing

System Administrators:

Secure configuration standards
Patch management
Access control implementation
Log monitoring
Incident response

Managers:

Security leadership responsibilities
Access approval procedures
HR security requirements
Budget for security
Compliance obligations

Security Team:

Advanced security training
Professional certifications
Tool-specific training
Threat intelligence
Incident response
Forensics

5. Specialized Training

Privacy/GDPR:

For anyone handling personal data
Data subject rights
Privacy by design
Breach notification
Data processing requirements

Incident Response:

For incident response team
Detection and analysis
Containment strategies
Evidence collection
Communication protocols

Business Continuity:

For BC team members
Recovery procedures
Roles and responsibilities
Communication plans
Testing exercises

Training Program Management

Training Plan:

Role: All Personnel
- New hire security awareness
- Annual security refresher
- Acceptable use acknowledgment
- Phishing awareness

Role: Developers
- All general training
- Secure coding (annual)
- Tool-specific training (as needed)
- Application security (biennial)

Role: IT Staff
- All general training
- System administration security (annual)
- Technology-specific training (as needed)
- Incident response basics (annual)

Role: Managers
- All general training
- Manager security responsibilities (annual)
- HR security procedures (during promotion)
- Access governance (annual)

Tracking and Records: Maintain records of:

Training attended by each person
Completion dates
Assessment scores
Certificates earned
Acknowledgments signed
Upcoming required training
Training compliance reports

Effectiveness Measurement:

Training completion rates
Assessment scores
Phishing simulation results
Incident reporting rates
Policy compliance metrics
Employee feedback surveys

Security Awareness Topics

Essential Topics:

Password security and MFA
Phishing and social engineering
Malware and ransomware
Physical security
Data classification and handling
Mobile device security
Remote working security
Incident reporting
Privacy and data protection
Acceptable use
Clean desk/screen
Visitor management

Advanced Topics:

Advanced persistent threats
Supply chain security
Cloud security
Encryption and cryptography
Secure development
Vulnerability management
Threat intelligence
Security architecture

A.6.4 - Disciplinary Process

Purpose: Address information security policy violations consistently and fairly.

Control Statement: "There shall be a formal disciplinary process for personnel who have committed an information security policy violation."

Disciplinary Process Framework

1. Policy Violations

Minor Violations:

First-time unintentional policy breach
No harm or minimal impact
No malicious intent

Examples:

Leaving desk unlocked momentarily
Forgetting to shred confidential document
Clicking simulated phishing email
Password written down but secured

Response:

Verbal reminder
Coaching and education
Document in file
No formal discipline

Moderate Violations:

Repeated minor violations
Potential for harm
Negligence but not malicious

Examples:

Repeatedly failing security training
Sharing passwords
Unauthorized software installation
Removing confidential data without authorization
Working on sensitive matters in public

Response:

Written warning
Mandatory retraining
Closer supervision
Loss of certain privileges
Document in personnel file

Serious Violations:

Significant security breach
Substantial risk or harm
Deliberate policy violation

Examples:

Intentional circumvention of security controls
Unauthorized data disclosure
Theft of information
Sabotage
Gross negligence

Response:

Suspension pending investigation
Termination of employment
Legal action
Law enforcement notification
Document thoroughly

2. Investigation Process

Step 1: Incident Reported or Discovered
- Security team notified
- Initial assessment
- Preserve evidence

Step 2: Investigation Initiated
- Assign investigator
- Define scope
- Gather facts
- Interview witnesses
- Analyze evidence

Step 3: Findings Documented
- Document what happened
- Identify who was involved
- Determine intent
- Assess impact
- Recommend action

Step 4: Disciplinary Decision
- HR reviews findings
- Consult with legal
- Consider precedent
- Determine appropriate action
- Notify employee

Step 5: Action Taken
- Implement discipline
- Document decision
- Communicate to employee
- Provide appeal process
- Monitor for recurrence

Step 6: Follow-up
- Verify corrective action
- Additional training if needed
- Update policies if needed
- Share lessons learned (anonymously)

3. Legal Considerations

Follow employment laws
Respect employee rights
Maintain confidentiality
Document everything
Be consistent in applying discipline
Allow employee to respond
Provide appeal mechanism
Consult legal counsel for serious violations

A.6.5 - Responsibilities After Termination or Change

Purpose: Ensure security responsibilities continue after employment changes.

Control Statement: "Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties."

Post-Employment Obligations

1. Continuing Confidentiality

After employment ends, former employees must:
- Continue to protect confidential information
- Not disclose trade secrets
- Not use proprietary information
- Not retain company documents or data
- Not assist competitors with company information

Duration:

Trade secrets: Indefinitely
Confidential information: Typically 2-5 years
General business information: 1-2 years

2. Intellectual Property

Former employees must:
- Not claim ownership of work product
- Assign all IP rights to company
- Not use company IP for personal benefit
- Disclose any inventions
- Cooperate with IP protection

3. Non-Compete (where enforceable)

Former employees may be restricted from:
- Working for direct competitors
- Starting competing business
- Soliciting customers
- Soliciting employees
- Using client lists

4. Return of Property

Former employees must return:
- All company equipment
- Access badges and keys
- Documents and files
- Confidential information
- Customer data
- Any company property

5. Cooperation

Former employees must:
- Cooperate with ongoing matters
- Provide assistance in transitions
- Answer questions about their work
- Testify if legal matters arise
- Not disparage the company

Change of Role

Internal Transfers:

Review and update access rights
New role training
Updated confidentiality for new access
Return of role-specific assets
Transfer of responsibilities

Promotions:

Enhanced screening if required
Additional access granted
Leadership security training
Updated job description
New confidentiality level

Demotions:

Remove privileged access
Reassess trust level
Monitor closely
Consider security risk
Update agreements

A.6.6 - Confidentiality or Non-Disclosure Agreements

Purpose: Protect confidential information through legal agreements.

Control Statement: "Confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information shall be identified, documented, regularly reviewed and signed by personnel and relevant interested parties."

NDA Types and Use

1. Employee NDA Included in employment agreement or separate document.

Key provisions:

Definition of confidential information
Obligations to protect
Permitted disclosures
Duration of obligation
Remedies for breach
Return of information

2. Contractor/Consultant NDA Before any confidential discussion or data access.

Includes:

Project-specific confidential information
Work product ownership
Subcontractor restrictions
Audit rights
Indemnification

3. Third-Party/Vendor NDA Mutual or one-way as appropriate.

Covers:

Shared information
Use restrictions
Disclosure limitations
Data handling requirements
Security obligations
Breach notification

4. Visitor NDA For visitors to secure facilities.

Addresses:

Information observed during visit
Prohibition on recording
Limited access areas
Short-term obligation

NDA Components

1. Parties
   - Define who is bound
   - Include successors/assigns

2. Definition of Confidential Information
   - Specific types of information
   - What is NOT confidential (exclusions)
   - How information is marked

3. Obligations
   - Maintain confidentiality
   - Use only for specified purpose
   - Protect from unauthorized disclosure
   - Limit internal sharing to need-to-know
   - Not reverse engineer

4. Permitted Disclosures
   - Required by law
   - With prior written consent
   - To authorized representatives
   - Already publicly known

5. Term
   - Effective date
   - Duration (e.g., 3-5 years)
   - Survival after termination
   - Return of information

6. Remedies
   - Injunctive relief
   - Monetary damages
   - Attorney fees
   - Right to audit

7. General Provisions
   - Governing law
   - Jurisdiction
   - Entire agreement
   - Amendments in writing

NDA Management

Process:

Identify need for NDA
Use appropriate template
Customize as needed
Legal review if significant
Both parties sign
Maintain signed copy
Track expiration dates
Renew if continuing relationship
Enforce if breached

Best Practices:

Sign NDAs before sharing information
Use clear, specific language
Make obligations realistic
Ensure consideration (value exchange)
Keep registry of all NDAs
Review and update templates regularly
Train personnel on importance

A.6.7 - Remote Working

Purpose: Secure information when personnel work remotely.

Control Statement: "Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization's premises."

Remote Working Security Requirements

1. Remote Access

VPN Requirements:

Always use VPN for remote access
Multi-factor authentication mandatory
Strong encryption (AES-256)
Full tunnel (no split tunneling)
Automatic connection when remote
Session timeout after inactivity
VPN client auto-updates

Access Controls:

Network access control (NAC)
Endpoint compliance checking
Posture assessment before access
Limited access to necessary resources only
Privileged access from secure locations only

2. Endpoint Security

Company-Provided Devices:

Full disk encryption
Endpoint protection (antivirus/EDR)
Firewall enabled
Automatic updates
Mobile device management (MDM)
Remote wipe capability
Configuration management

BYOD (If Permitted):

Containerization of work data
Mobile application management (MAM)
Separate work profile
Security baseline requirements
Consent to management
Wipe capability for work data only

3. Home Network Security

Requirements:

Change router default password
Enable WPA3 or WPA2 encryption
Disable WPS
Update router firmware
Use strong WiFi password
Separate work and personal networks (if possible)
Disable remote administration

4. Physical Security

Work Environment:

Private workspace recommended
Lock screen when away (automatic after 5 min)
No working in public places with sensitive data
Privacy screens for public areas
Secure storage for documents and devices
Report lost/stolen devices immediately

5. Data Handling

Restrictions:

No printing confidential documents at home
Use company cloud storage only
No personal cloud storage for work data
No use of personal email for work
Encrypt sensitive files
Securely delete when no longer needed

6. Communication Security

Requirements:

Use company communication tools
Video conferences in private spaces
Be aware of visual/audio background
No discussion of confidential matters in public
Secure voice and video calls
Mute when not speaking

Remote Working Policy Example

# Remote Working Policy

## Eligibility
[Define who can work remotely and under what conditions]

## Security Requirements

1. Use only approved company devices
2. Connect via VPN for all work access
3. Enable full disk encryption
4. Use strong authentication (MFA)
5. Keep devices updated and patched
6. Use antivirus/endpoint protection
7. Lock screen when unattended
8. Secure home network
9. Work in private, secure location
10. Report security incidents immediately

## Prohibited Activities
- Using public WiFi without VPN
- Allowing others to use work devices
- Installing unauthorized software
- Storing work data on personal devices/cloud
- Working on sensitive matters in public
- Sharing screens with confidential information visible

## Incident Reporting
Report immediately:
- Lost or stolen devices
- Security incidents
- Suspected compromise
- Technical problems preventing secure access

## Compliance
- Remote work is a privilege
- Must comply with all policies
- Subject to monitoring
- Violation may result in:
  * Loss of remote work privilege
  * Disciplinary action
  * Termination

A.6.8 - Information Security Event Reporting

Purpose: Ensure timely reporting of security events.

Control Statement: "The organization shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner."

Event Reporting Mechanism

1. Reporting Channels

Primary Channel:

Security team email: [email protected]
Security hotline: [24/7 phone number]
Internal portal/ticketing system
Mobile app for reporting

Alternative Channels:

Direct manager
HR department
Compliance officer
Anonymous reporting hotline
External ethics hotline

2. What to Report

Security Events:

Suspicious emails or communications
Malware alerts
Unauthorized access attempts
Unusual system behavior
Lost or stolen devices
Unattended visitors
Security control failures
Weak or bypassed security
Data breaches or leaks
Physical security issues

Even If Unsure:

Better to report and investigate
No penalty for good-faith reports
"See something, say something"

3. Reporting Process

1. Observe event or incident
2. Do not investigate on your own
3. Report via appropriate channel
4. Provide as much detail as possible:
   - What happened
   - When it occurred
   - Where it happened
   - Who was involved
   - What systems/data affected
   - Actions taken (if any)
5. Preserve evidence if possible
6. Follow up as requested
7. Do not discuss with unauthorized persons

4. Response to Reports

When event reported:

Acknowledge receipt immediately
Assign tracking number
Assess and triage
Investigate as appropriate
Keep reporter informed
Take corrective action
Document outcome
Thank reporter

5. Encouraging Reporting

Create Reporting Culture:

No blame for good-faith reports
Recognize and reward reporting
Make reporting easy
Respond promptly
Communicate outcomes (when appropriate)
Show reports make a difference
Protect reporters from retaliation

Anonymous Reporting:

Allow anonymous reports
Third-party hotline if needed
Investigate anonymous reports seriously
No attempt to identify anonymous reporters
Unless required by law

6. Metrics and Monitoring

Track:

Number of events reported
Response times
Event types and trends
Reporting channel usage
Reporter demographics
Time to resolution
False positive rate

Use to:

Identify training needs
Improve detection
Enhance controls
Recognize security champions
Report to management

People Controls Implementation Plan

Month 1: Foundation

Update employment agreements with security clauses
Develop NDA templates
Create screening procedures
Define roles and responsibilities

Month 2: Training Program

Develop security awareness content
Create online training modules
Plan phishing simulation program
Establish training tracking system

Month 3: Policies and Processes

Publish remote working policy
Establish event reporting channels
Create disciplinary process
Document post-employment obligations

Month 4: Rollout and Operations

Launch security awareness program
Begin phishing simulations
Implement ongoing screening
Start compliance monitoring

Ongoing:

Conduct training regularly
Monitor compliance
Update based on incidents
Continually improve

Next Lesson: Physical Controls (A.7) - Learn about the 14 physical security controls including security perimeters, physical entry controls, securing offices and equipment, and protection against physical and environmental threats.