Annex A.6 of ISO 27001 includes eight people controls that address human-related security risks, such as errors, insider threats, or lack of awareness. These controls ensure that individuals within or associated with an organization adhere to security policies and practices, fostering a culture of accountability and vigilance. While fewer in number compared to organizational or technological controls, their impact is significant, as human behavior directly influences the effectiveness of an ISMS.
Each control in Annex A.6 is defined in the normative ISO/IEC 27001:2022 standard with a unique identifier, title, and brief statement. For practical implementation, ISO/IEC 27002:2022, an informative companion, provides detailed guidance, examples, and best practices across 164 pages, using the same numbering for easy reference. Both standards are available for purchase from the International Organization for Standardization (ISO) or national standards bodies (e.g., ANSI, BSI).
Complete List of Annex A.6 Controls
The table below lists all eight people controls of Annex A.
Control ID | Control Title |
|---|---|
A.6.1 | Screening |
A.6.2 | Terms and Conditions of Employment |
A.6.3 | Information Security Awareness, Education and Training |
A.6.4 | Disciplinary Process |
A.6.5 | Responsibilities After Termination or Change of Employment |
A.6.6 | Confidentiality or Non-Disclosure Agreements |
A.6.7 | Remote Working |
A.6.8 | Information Security Event Reporting |
Key Topics Covered in Annex A.6 Controls
Annex A.6 focuses on managing human-related risks to ensure personnel contribute to a secure ISMS. These controls cover screening, training, accountability, and secure practices in modern work environments.
Below is a breakdown of the main areas addressed by A.6, with examples and their relevance in 2025.
Screening and Onboarding
The following controls are related to this topic:
A.6.1 (Screening)
A.6.2 (Terms and Conditions of Employment)
A.6.6 (Confidentiality or Non-Disclosure Agreements)
Purpose: Ensure personnel are trustworthy and understand their security obligations. A.6.1 requires background checks for employees and contractors, while A.6.2 mandates security responsibilities in employment contracts. A.6.6 enforces confidentiality through NDAs.
Relevance: In 2025, with insider threats on the rise, thorough screening and clear contractual obligations prevent unauthorized data access.
Training and Awareness
The following controls are related to this topic:
A.6.3 (Information Security Awareness, Education, and Training)
Purpose: Equip personnel with knowledge to recognize and mitigate security risks, such as phishing or social engineering. A.6.3 requires regular training programs tailored to roles.
Relevance: As cyberattacks grow more sophisticated (e.g., AI-driven phishing), ongoing awareness training is critical to reduce human error.
Accountability and Discipline
The following controls are related to this topic:
A.6.4 (Disciplinary Process)
A.6.5 (Responsibilities After Termination or Change of Employment)
Purpose: Establish consequences for security violations and ensure secure offboarding. A.6.4 defines disciplinary actions for policy breaches, while A.6.5 ensures departing employees return assets and maintain confidentiality.
Relevance: Clear accountability and offboarding processes protect against data leaks, especially in high-turnover environments.
Remote Work and Event Reporting
The following controls are related to this topic:
A.6.7 (Remote Working)
A.6.8 (Information Security Event Reporting)
Purpose: Secure remote work environments and encourage reporting of security incidents. A.6.7 addresses secure setups for remote workers, while A.6.8 promotes a culture of reporting suspicious activities.
Relevance: With hybrid work models dominant in 2025, these controls mitigate risks from unsecured home networks and ensure timely incident detection.
