Annex A outlines 93 security controls across four themes: Organizational Controls (A.5), People Controls (A.6), Physical Controls (A.7), and Technological Controls (A.8). The controls of Annex A.6 address the human element in your Information Security Management System (ISMS).
This guide spotlights Annex A.6, featuring 8 controls (A.6.1 to A.6.8) that focus on managing personnel to enhance information security. The people controls of Annex A can reduce human-related vulnerabilities and foster a security-conscious culture.
What Are Annex A.6 People Controls in ISO 27001:2022?
Annex A.6 people controls emphasize measures to influence employee behavior and ensure secure handling of information. They address the "human factor," often the weakest link in security chains, by covering policies, training, and processes for personnel. Per ISO 27001:2022, organizations must assess these controls in their risk treatment and document them in the Statement of Applicability (SoA).
With just 8 controls, Annex A.6 is concise yet impactful, guiding implementation via ISO 27002:2022 for customization based on factors like workforce size, industry, and current risks such as social engineering. Adopting these controls not only supports compliance but also minimizes breaches from human error or malice.
Complete List of ISO 27001 Annex A.6 Controls
Here's the complete list of Annex A.6 people controls from ISO 27001:2022, presented in a table for quick reference. Include or exclude them in your SoA based on risk assessments, with ISO 27002 offering detailed implementation advice.
Control ID | Control Title |
---|---|
A.6.1 | Screening |
A.6.2 | Terms and Conditions of Employment |
A.6.3 | Information Security Awareness, Education and Training |
A.6.4 | Disciplinary Process |
A.6.5 | Responsibilities After Termination or Change of Employment |
A.6.6 | Confidentiality or Non-Disclosure Agreements |
A.6.7 | Remote Working |
A.6.8 | Information Security Event Reporting |
Key Topics Covered in Annex A.6 Controls
Annex A.6 tackles critical areas of personnel management to promote secure practices. Key topics include:
Screening and Onboarding: Controls like A.6.1 (Screening) and A.6.2 (Terms and Conditions of Employment) ensure background checks and clear security expectations during hiring.
Awareness and Training: A.6.3 focuses on education to build knowledge and skills for handling sensitive data, combating risks like phishing.
Disciplinary and Termination Processes: A.6.4 (Disciplinary Process) and A.6.5 (Responsibilities After Termination or Change of Employment) outline consequences for violations and secure offboarding.
Confidentiality and Agreements: A.6.6 addresses non-disclosure agreements to protect information post-employment.
Remote Working Security: A.6.7 covers policies for secure remote access, increasingly relevant in hybrid models.
Event Reporting: A.6.8 encourages prompt reporting of security incidents to enable quick response.
These topics foster a security-aware workforce, integrating people into your broader ISMS strategy.