ISO/IEC 27002:2022 Clause 6 – People Controls Comprehensive Guide
ISO/IEC 27002:2022 Clause 6 – People Controls (ISO/IEC 27001:2022 Annex A.6) is a critical component of an Information Security Management System (ISMS) that focuses on the human factors of security.
These eight controls (Annex A controls A.6.1 through A.6.8) address human-related security risks – such as employee mistakes, insider threats, or lack of security awareness.
Navigate
ISO/IEC 27001
Templates & Tools
Why are people controls important?
These controls span the entire employee lifecycle – from hiring to termination – and beyond.
Clause 6 covers everything from vetting new hires with background checks and embedding security obligations in employment contracts to providing ongoing security awareness training and defining disciplinary actions for policy violations.
It also ensures that departing staff understand their post-employment responsibilities (like confidentiality), that remote work is conducted securely, and that every employee knows how to report security incidents or weaknesses.
Control 6.1 – Screening (Pre-Employment Background Checks)
Control A.6.1 mandates organizations to perform appropriate background checks on personnel (employees and relevant contractors or suppliers) before granting them access to sensitive information. The goal is to ensure that anyone in a trusted role is trustworthy and qualified, in compliance with any legal, regulatory, and security requirements. By screening candidates (e.g. verifying identity, criminal record, employment history, references, and qualifications), organizations reduce the risk of insider threats or negligence from the outset. For example, it’s common to require more extensive vetting (such as security clearance checks) for roles handling highly sensitive data or systems. This control recognizes that hiring unvetted or unqualified individuals can expose the organization to significant security risks.
Implementation Best Practices
Develop a screening policy as part of your HR onboarding process, aligned with local laws and proportional to the sensitivity of the role. At minimum, use a checklist to verify each new hire’s identity (photo ID), right to work, references, and any required background criteria before they start work. Ensure that screening results are linked to access management – for example, grant system access or privileged permissions only after background checks are successfully completed. For especially sensitive positions, plan for additional vetting (e.g. credit checks, security clearances) and consider re-screening if an employee is promoted into a higher-risk role. It’s also wise to document the screening outcomes (such as maintaining a HR record that required checks were performed) so you can demonstrate compliance to auditors without exposing personal details. By diligently vetting personnel, you ensure that only “fit and proper” people are entrusted with critical information, thereby greatly reducing the likelihood of internal security incidents.
Control 6.1 – Screening: For further details on background screening, role-based vetting, and what auditors typically expect as evidence.
Control 6.2 – Terms and Conditions of Employment (Security in Job Contracts)
Control A.6.2 requires that security responsibilities be formally stated in employees’ contractual agreements. In practice, this means an organization’s employment terms and conditions must include clauses that define both the employee’s and the employer’s information security obligations. By embedding security expectations into job contracts (or associated documents like employment agreements or staff handbooks), the organization ensures that personnel are aware of their duty to protect information and the consequences of non-compliance from day one. Key areas to address include confidentiality, data protection, acceptable use of company assets, requirements to follow security policies, and the need to undergo training and awareness activities. The importance of A.6.2 is that it creates a clear, binding commitment: staff acknowledge in writing their roles in safeguarding information, and management commits to supporting those obligations. This mutual accountability lays the groundwork for a security-conscious work environment.
Implementation Best Practices
Review your employment offer letters, contracts, or employee handbook to insert explicit information security clauses. For example, include statements that the employee must follow the organization’s security policies and procedures, protect confidential information, complete required training, and report security incidents. Likewise, include the organization’s responsibilities such as providing training and secure tools. Often, organizations cover these points via a confidentiality or security agreement that new hires sign along with their contract (or as an addendum). Make sure to coordinate with your HR and legal teams so that these clauses comply with labor laws and are enforceable. A practical approach is to create a standard information security agreement (ISA) for all staff – this can be part of the contract or a separate document referenced by the contract. With clearly communicating security duties and rights in writing, you set expectations up front and give your compliance team and managers a basis to hold personnel accountable if they violate security requirements.
Many companies include an “Acceptable Use” agreement and confidentiality terms that employees sign during onboarding, which cover proper use of IT systems, data confidentiality, and acknowledgement of security policies.
Control 6.2 – Terms and conditions of employment: To learn more about embedding information security responsibilities into employment terms (including confidentiality, acceptable use, and policy acknowledgement).
Control 6.3 – Information Security Awareness, Education and Training
Control A.6.3 is about equipping all personnel with the knowledge and skills to fulfill their security responsibilities. It mandates organizations to establish security awareness and training programs so that employees (and relevant contractors) understand current threats, security policies, and safe practices. The rationale is that informed employees are far less likely to fall victim to phishing or social engineering and more likely to follow procedures that protect the organization. Regular training also fosters a culture where security is everyone’s job. This control covers initial orientation for new hires (security induction) as well as ongoing education (e.g. annual refresher courses, targeted training for specific roles). A well-educated workforce can actively help prevent incidents or spot them early, thereby significantly strengthening the ISMS’s effectiveness.
Implementation Best Practices
Build a structured information security awareness program that includes multiple touchpoints. At a minimum, provide a comprehensive security briefing or training module to new employees as part of onboarding. This induction should introduce key policies (Information Security Policy, Acceptable Use Policy, etc.) and basic practices like how to handle sensitive data, create strong passwords, recognize phishing emails, and maintain a clear desk. Then, ensure you have ongoing training for existing staff – for example, require everyone to complete an annual security awareness refresher course (online or in-person) and send out regular security tips or newsletters to keep knowledge fresh. Training should be updated to address emerging threats (e.g. new phishing techniques or remote work risks) and, where possible, tailored to employees’ roles (IT admins may need deeper technical training, developers need secure coding training, etc.). Track attendance and comprehension (quizzes or simulations) to gauge effectiveness.
Many organizations conduct periodic simulated phishing exercises and then follow up with training for anyone who clicks on a fake phishing link – this reinforces learning and reduces the chance of a real compromise. Remember, the goal is to create a workforce that is aware and vigilant; as cyberattacks grow more sophisticated, continuous education is critical to reduce human error.
Control 6.3 – Information security awareness, education and training: For deeper implementation advice on building an effective awareness and training program (frequency, role-based content, and measurable outcomes), review the dedicated Control 6.3 guide.
Control 6.4 – Disciplinary Process
Control A.6.4 ensures that there are formal consequences for employees (or other users) who violate the organization’s information security policies. In other words, the ISMS must be backed by a disciplinary process that can be applied in the event of security breaches, negligence, or non-compliance. The purpose is twofold: to deter individuals from ignoring security requirements, and to provide a clear, fair method to address incidents caused by human behavior. By tying policy violations to potential disciplinary actions (like warnings, suspension, or termination), an organization emphasizes that security is taken seriously at all levels. This control is important because without enforcement, even the best policies might be ignored. It reinforces accountability – staff know that disregarding security rules (e.g. sharing passwords, disabling safeguards, mishandling data) will have repercussions, which in turn encourages compliance.
Implementation Best Practices
Integrate information security into your existing HR disciplinary procedures. Typically, the employee handbook or HR policy manual should state that failure to comply with information security policies may result in disciplinary action, up to and including termination (in line with local labor laws). It’s effective to mention this in each major security policy as well – for example, at the end of your Acceptable Use Policy or Clean Desk Policy, note that violations are subject to disciplinary action. Ensure that all personnel are made aware of this policy (usually via acknowledgement forms or training). In practice, minor first-time infractions might result in a verbal or written warning, while serious or intentional breaches could lead to stricter penalties.
The disciplinary process must be applied consistently and fairly. Work with HR to define what types of security violations correspond to which level of discipline, and document any incidents and actions taken. For instance, if an employee repeatedly tailgates into a secure area or ignores password rules, the process might escalate from a warning to mandatory re-training, and eventually to formal disciplinary review if not corrected.
With linking policy compliance to the HR enforcement framework, you create a deterrent effect – policies serve as a “preventive” control, but they only carry weight if people know there are consequences for ignoring them. Clear communication of this (during security training and in writing) is vital so that the expectation and ramifications are understood by everyone.
Control 6.4 – Disciplinary process: To learn more about defining and documenting disciplinary actions for security policy breaches in a fair and audit-ready way.
Control 6.5 – Responsibilities After Termination or Change of Employment
Control A.6.5 addresses how organizations handle security when an employee leaves or changes roles. The goal is to protect information by defining and enforcing obligations that survive beyond an individual’s employment, and by planning for secure transitions of duties. There are two primary aspects: (1) Post-Employment Obligations – ensuring that those who have left the company (or moved to a new role) continue to respect confidentiality and do not misuse information they had access to. This often involves contractual clauses like non-disclosure agreements that remain in effect even after employment ends (e.g. an ex-employee must not disclose confidential data for X years). And (2) Succession Planning / Handover – making sure that when someone leaves, any critical responsibilities they had are transferred or managed so that security isn’t compromised. For example, their accounts should be disabled, company assets returned, and key contacts (clients, partners, team members) informed if needed. This control is crucial for preventing data leaks or business disruptions during offboarding. Without it, a departing staff member might retain access or knowledge that could be abused, or their absence could leave security gaps.
Implementation Best Practices
Establish a robust offboarding process in coordination with HR and IT. For every termination or role change, have a checklist that includes: disabling or transferring IT accounts and access cards, recovering laptops, USB drives, keycards and any other company property, and reminding the individual of their ongoing confidentiality duties (often by having them sign an exit form re-affirming any NDAs or contract clauses). Many organizations include confidentiality and non-disclosure clauses in the employment contract that explicitly survive termination (e.g. “You shall not divulge confidential information obtained during your employment for X years after leaving”) – verify that your contracts have this, as it gives legal grounds to act if an ex-employee tries to leak information. Also consider the knowledge transfer aspect: if an employee with security responsibilities or critical knowledge is leaving, ensure they hand over documentation, keys, or permissions to a designated successor. Notify relevant internal departments or external parties as appropriate that the person has left, especially if that affects access rights (for instance, alert your managed service provider that the person is no longer authorized on the account).
Make sure nothing falls through the cracks when people exit – close their access promptly and legally bind them to continued confidentiality. A strong example is a company automatically revoking all system access at the HR-confirmed time of departure and requiring an exit interview where the employee is reminded of their NDA obligations and asked to return all badges and devices.
Control 6.5 – Responsibilities after termination or change of employment: For further details on secure offboarding, role changes, access revocation timing, and post-employment obligations, consult the full Control 6.5 guidance.
Control 6.6 – Confidentiality or Non-Disclosure Agreements (NDAs)
Control A.6.6 ensures that confidentiality agreements (NDAs) are used to formally oblige personnel and relevant external parties to protect the organization’s sensitive information. The idea is that anyone with access to confidential data signs an agreement to not disclose that information to unauthorized people, both during and after their engagement with the organization. This control supports and reinforces other people controls: for instance, while A.6.2 puts security duties in employment contracts, A.6.6 often takes the form of a standalone Non-Disclosure Agreement that can also extend to contractors, consultants, or even suppliers who might come into contact with sensitive info. The NDA typically outlines what information is confidential and the individual’s obligation to safeguard it indefinitely (or for a defined period) even after their role ends. The importance of A.6.6 is that it provides legal protection and a clear expectation regarding information secrecy. Should an employee or third-party attempt to leak or misuse confidential data, the NDA serves as a deterrent and a basis for legal action.
Implementation Best Practices
Implement NDAs at multiple stages: pre-employment or onboarding (have new employees sign a confidentiality agreement as a condition of employment, if not already embedded in the contract) and with third parties (contractors, temporary staff, vendors, etc., should sign NDAs before they receive any access). Often, organizations include a general confidentiality clause in the employment contract (covering internal data) and use separate NDAs for situations like discussing a sensitive project with an outside consultant. Maintain a repository of signed NDAs or contractual confidentiality clauses for audit purposes. It’s also good practice to periodically remind staff of these obligations, e.g. through annual policy acknowledgements or refresher training, since NDAs can be forgotten over time. In supplier management, ensure your procurement or vendor onboarding process incorporates NDAs where appropriate – many companies won’t even begin sharing info with a supplier until an NDA is signed. Example: A software firm might require all new hires and any contractors (like developers or marketing freelancers) to sign a confidentiality agreement that covers source code, client data, and business secrets. Additionally, before engaging in talks about a partnership or merger, both companies sign mutual NDAs. With broadly applying confidentiality agreements, you create a legally enforceable web of trust that discourages data leaks. Remember to have legal counsel review your NDA templates to meet local requirements (e.g. some jurisdictions limit the duration or scope of NDAs). A well-executed A.6.6 control means no one should be unclear about their duty to keep information confidential.
Control 6.6 – Confidentiality or non-disclosure agreements: To learn more about structuring confidentiality and NDA requirements for employees, contractors, and third parties—plus what good evidence looks like—see the detailed Control 6.6 guide.
Control 6.7 – Remote Working
Control A.6.7 addresses the security of remote work arrangements. With modern organizations increasingly supporting remote or hybrid work, this control requires that security measures be implemented to protect information when staff work outside the traditional office environment. The goal is to ensure that whether an employee is in the office or at home (or on the go), they follow practices that safeguard data and systems. Key concerns include the security of devices used remotely, the networks they connect from, physical document security in home offices, and the overall alignment of remote work with the organization’s security policies. This control was newly introduced in ISO 27001:2022 (it wasn’t explicitly in the 2013 edition) to reflect the reality that remote working is now common and can expose organizations to risks if not managed (e.g. unsecured Wi-Fi, use of personal devices, blurring of work/home data, etc.). By formalizing remote work security, A.6.7 helps organizations close gaps that could be exploited when staff are outside the controlled corporate perimeter.
Implementation Best Practices
Develop a Remote Work Policy or procedure that outlines security requirements for anyone working off-site. This policy should cover issues like: the use of company-approved and secure devices (e.g. requiring laptops to have full disk encryption, up-to-date anti-malware, and perhaps Mobile Device Management controls); secure connectivity (mandating VPN usage or other encrypted connection when accessing company systems over the internet); physical security at remote locations (e.g. guidelines for home office like not leaving sensitive documents or unlocked devices accessible, and enforcing a clear desk/screen even at home); and acceptable use of company equipment and data from remote locations. Provide training to remote workers so they know how to securely work (for instance, remind them to lock screens, use strong home Wi-Fi passwords, and avoid public Wi-Fi or use VPN on it). Ensure your IT team extends necessary controls to remote endpoints – for example, enabling device encryption and remote wipe on laptops, enforcing regular software updates, and requiring multifactor authentication for remote access. Also consider the human factor: remote staff might feel isolated from the company culture, so keep them engaged with security awareness (include them in all training, maybe tailor some content to home working scenarios).
During the COVID-19 pandemic, many companies rapidly rolled out VPNs and collaboration tools to enable remote work, but later had to update their policies to address data handling at home. A good practice is performing spot audits or checklists – e.g., managers can have a conversation with their remote team members about their home office setup and confirm compliance (secure router settings, locked cabinets for files, etc.). With proactively managing remote work security, you mitigate risks from unsecured home networks or devices and ensure that the organization’s security posture remains strong outside the office walls.
Control 6.7 – Remote working: For further details on securing remote and hybrid work—covering device posture, network access, workspace safeguards, and user expectations—refer to the dedicated Control 6.7 guidance.
Control 6.8 – Information Security Event Reporting
Control A.6.8 ensures that all information security events and weaknesses are reported through proper channels, so that the organization can respond to incidents in a timely manner. In essence, every employee and relevant party should know how and why to report any suspected security incident (such as a phishing email, lost laptop, or unusual system behavior) or even observed vulnerabilities (like a broken door lock or a misrouted confidential document). The purpose is to engage everyone in the process of incident detection – a strong reporting culture means issues are caught early, before they escalate into bigger problems. This control ties into the broader incident management process (Annex A.5.30 and A.5.31 in the Organizational controls cover formal incident management). However, A.6.8 specifically focuses on the people aspect: creating awareness and an easy mechanism for personnel to report potential security events without fear of blame. Its importance is huge because even the best technical monitoring might not catch something an observant employee would; for example, an employee might notice their computer behaving oddly or may fall for a phishing attempt – if they promptly report it, the damage can be contained. Without a reporting mechanism, incidents can go unnoticed until it’s too late.
Implementation Best Practices
Establish clear procedures and channels for reporting incidents, and communicate these to all staff as part of training and the employee handbook. Common approaches include setting up a dedicated email address or hotline (e.g. security@company.com or an internal ticketing system) where employees can report suspicious activities. Some organizations use anonymous reporting tools or integrate it into existing IT helpdesk systems. The key is that the process is simple and non-punitive – emphasize that reporting an honest mistake or near-miss is encouraged and will not result in punishment. Ensure that every report is logged and assessed by the security team. As part of security awareness (A.6.3), provide examples of events to report: e.g., “If you accidentally click on a phishing link or lose a device, report it immediately without fear – it helps us secure the situation.” Regularly remind staff of the reporting channel (posters in the office, intranet pages, etc.). It’s also wise to include this in your Acceptable Use Policy or Employee Handbook with a statement like “All employees have a duty to report any information security incidents or weaknesses promptly to the IT/security department”. Test the reporting process periodically (for instance, simulate an incident and walk through how an employee would report it and how quickly the response occurs). Creating feedback loops can motivate reporting – if people see that reported issues are taken seriously and resolved, they’ll be more likely to speak up. In summary, make reporting easy and build trust that it’s for the good of everyone. An effective reporting control means even something as minor as a propped-open secure door or a suspicious email will be brought to security’s attention by alert employees. This greatly increases the organization’s ability to detect and react to incidents early, reducing potential damage.
Control 6.8 – Information security event reporting: To learn more about establishing clear reporting channels and a strong reporting culture for security events and weaknesses.
The Impact of People Controls on ISMS Strength
Implementing ISO 27001 Clause 6 People Controls is essential for building a resilient, security-aware organization. While technical and physical controls are important, the human element often determines the success or failure of an ISMS. If staff are poorly trained, unaware of risks, or careless with data, even the best firewalls and locks won’t fully protect your information.
Conversely, when people controls are done right, your employees become a powerful defense layer.
Well-screened, well-trained, and accountable personnel can actively prevent incidents, detect anomalies, and follow procedures that keep the organization secure.
In fact, a strong security culture—where everyone understands their role in safeguarding information—dramatically reduces the likelihood of breaches caused by human error or misconduct.
Clause 6 controls also reinforce each other: clear contracts (A.6.2) set expectations, training (A.6.3) gives the knowledge to meet those expectations, and disciplinary processes (A.6.4) back them up with enforcement. Similarly, screening (A.6.1) and NDAs (A.6.6) build trust at entry, while termination handling (A.6.5) and incident reporting (A.6.8) ensure security at exit and all along the way.
People can be your greatest security asset – Clause 6 helps you harness that potential by systematically managing human factors in information security.