Implementing and Auditing ‘People Controls’ from ISO 27001:2022

The term ‘information security’ can often lead people to think of data or cyber security, however an organisation’s people are also an extremely important aspect of its security posture.  The information employees have access to, see and hear during their working day is wide ranging, and the security of this information needs to be managed.  The ‘insider threat’ posed by your organisation’s personnel is by far the most likely to result in a security incident, not due to them looking to do harm, but simply due to them making mistakes or not being aware of the correct processes.  By having controls in place to reduce the likelihood of human error, first by recruiting competent people into your organisation and then by training them and ensuring they remain competent, the less likely that people-based incidents will occur.

When an organisation recruits, moves or promotes an employee, there are a number of information security concerns to be considered.  These can include background verification checks, employment history, the right to work within the country the organisation is located, information security awareness and training, and whether confidentiality or non-disclosure agreements are required between the organisation and the employee.  Whilst the ‘people controls’ theme is new to the 2022 version of the Standard, it can be mapped to the ‘Human resource security’ controls in ISO 27001:2013, so has always been identified as a core element of information security.

One method for ensuring new employees meet an organisation’s information security requirements is to implement a screening or pre-employment policy.  In the majority of organisations URM audits, the screening or pre-employment policy observed is part of an existing new recruit onboarding process, where a standard background check is completed for potential new employees and further background verifications conducted for certain roles.  For example, positions within government or the military may require an individual to be subject to security clearance checks due to the sensitivity of the role they will be performing.

Beyond the obvious security-related checks (e.g., DBS checks), other elements such as CV review, interviews, assessment of experience and qualifications, previous employer checks, etc., are also important both in assessing an individual’s suitability for the role and in maintaining information security.  The more competent the individual being hired, the less likely it is that they will be the cause of incidents in the future.

Your organisation’s screening or pre-employment policy should also be directly linked with its access control policy.  Once an employee’s background verification is successfully completed, you can determine the level of IT access and the level of physical access required, ensuring that access to any privileged or restricted information is managed.  Equally, if an employee is moving department or has received a promotion, the change of role may result in a change to the type or classification of information they are exposed to.  This may require further background verifications or access to more business systems containing sensitive information.

Although not present in ISO 27001:2013, remote working and information security event reporting controls have been included in ISO 27001:2022 to reflect the increasing mobility of the workforce, with many employees now moving from being purely site/office based to working on a fully remote or hybrid basis.  The information security measures in place at your organisation’s premises are an essential element of its preventive security measures.  To further reduce information security risks, you need to extend your information security measures to the relevant employees’ remote places of work, and will need to ensure the mechanism for reporting potential information security events is effective, regardless of whether employees are on site or at home.  

Control 6.3, Information security awareness, education and training also plays a pivotal role in the prevention of information security events by establishing your organisation’s security posture or culture from the beginning of a staff member’s employment.  Beyond this, it functions as an effective communication method to inform new employees of your organisation’s information security requirements, such as a clear desk and clear screen policy, physical protection of devices and destruction of media (e.g., paper documents).  These rules should apply to remote work in the same way they apply to employees working on site, although the means of adhering to them may need to be different.

As with all audits, regardless of whether they are against the Standard’s mandatory clauses or the controls, the auditor is looking for objective evidence that the requirements of ISO 27001 are understood, documented and are effectively managed for conformance to not only the Standard, but also the organisation’s own policies, processes and procedures.

Below are the people controls, along with some hints and tips that can be used to help you prepare for an internal audit.  

‍

‍

6.1 Screening

Here, you can use any existing new starter onboarding or pre-employment policy and select some examples that can be reviewed by the auditor to confirm the policies are effective and being followed.  Your organisation may utilise a pre-employment checklist that the HR/People Team use to ensure consistency across all candidates, such as confirmation of the individual’s identification (passport, birth certificate), confirmation of their right to work (if required), proof of address via a recent utility bill addressed to the individual and confirmation of personal and/or employment references.  

Increasingly, auditors are becoming aware of their responsibility to protect personally identifiable information (PII), so may not need to view the documents used to verify identity, but will still need to know that the relevant checks have been performed.  To facilitate this, it may be useful for the HR Department to maintain a record stating what it has verified during the screening process.

6.2 Terms and conditions of employment

The wording of this control provides useful guidance by stating that ‘contractual agreements shall state the personnel’s and the organisation’s responsibilities for information security’.  An auditor will look for evidence that a contract of employment contains the information security responsibilities, and these can be included in the contract text or as part of the contract terms and conditions, with clauses for data security, information security, confidential information, training, education and awareness requirements, and supporting information security policies and ISMS.

6.3 Information security awareness, education and training

For this control, the auditor will be looking for evidence of a formal information security training programme that includes new starters being inducted to your organisation and evidence of annual refresher/update training for all existing employees.  The information security awareness, education and training is the ideal opportunity for you to communicate your approach to information security, cultivate awareness of the ISMS and supporting documentation such as the Information Security Policy, Acceptable Use Policy, Access Control Policy and any other relevant, topic-specific policies.  Practical evidence to share with the auditor would be some examples of individuals receiving the training for both new starters and existing employees, along with an example of the content of any training modules.  

6.4 Disciplinary process

For this control, the auditor is looking to establish where within the ISMS your organisation has communicated to its employees and other relevant interested parties, such as visitors, the importance of adhering to the information security requirements and what steps will be taken for those who do not adhere, such as verbal and written warnings or, in very severe cases, dismissal.  Often this evidence is found in the employment contract terms and conditions, or as part of the visitor induction.  You can also include a statement within each documented information security-related policy reminding the user of the possible consequences of not adhering to the policy requirements.  

Linking policy conformance to the disciplinary process is vital, as policies are generally used as a ‘deterrent’ type control by deterring personnel from taking actions that lead to information security incidents, either intentionally or through negligence.  However, they will only function as an effective deterrent if there are consequences associated with nonconformance, and if these consequences are effectively communicated to the relevant individuals.

6.5 Responsibilities after termination or change of employment

Here, the auditor will want to understand the restrictive covenants that are in place within employee contracts. For example, employee contracts may include a clause stating that they must not disclose any confidential information for a period of up to 5 years following the termination of employment.  This will cover information such as intellectual property (IP), PII, and other confidential information the employee may become privy to whist employed.

The other aspect of this control regards succession planning – if a staff member’s function within the organisation will continue after their employment ends, plans will need to be in place that establish how this will be achieved.  These plans should include notification to interested parties that the individual is leaving/has left, and what the impact of this is likely to be.  To learn more about your obligations to interested parties under ISO 27001, read our blog on How to Meet the ISO 27001 Interested Parties Requirements.  

6.6 Confidentiality or non-disclosure agreements

Your organisation may have a standard process where every employee signs a confidentially or non-disclosure agreement upon joining the company; if this is the case, an auditor will want to see some examples of this.  For the majority of organisations we work with, confidentiality is included in the terms and conditions of the contract of employment and non-disclosure agreements are often evidenced via supplier relationship management, as well as being required prior to the commencement of any supplier work.

6.7 Remote working

During the COVID-19 pandemic, many organisations had to shut down their premises and employees worked from home.  Remote working is now a very common practice, and this control is designed to ensure information security measures are implemented for remote and hybrid workers.  Auditors will be looking to see that security controls such as device encryption are active on all devices that are used remotely.  The acceptable use of company devices, such as storage, should be communicated to employees during induction and refreshed regularly with existing employees.  As mentioned previously, policies such as a clear desk and clear screen policy, disposal of media etc. should also apply to remote workers as well as those working on site.  Meanwhile, password polices should be up to date with all employees adhering to them, for example, by routinely changing passwords in line with relevant password policy requirements.  

6.8 Information security event reporting

The ability to effectively report potential information security events is an essential aspect of an organisation’s preventive and corrective measures for information security, and it is also an effective means to engage all employees on the topic of information security.  For this control, auditors are looking for effective communication to employees of your organisation’s mechanism for reporting information security events, which should be covered in your employee training and awareness programme.  This mechanism may be a portal that all employees access to raise the event, or a known person to contact such as their line manager or information security manager.  Some examples of raised events may be observed by the auditor to ensure any internal process is being followed and the events are being managed effectively.

Information security event reporting should also be included in the employee handbook and/or acceptable use policy as a requirement, with all staff expected to report not only things they consider to be information security incidents, but also weaknesses (e.g., a broken door lock).

The effective implementation of Annex A’s people controls will play a significant role in helping you achieve and maintain not only ISO 27001 conformance, but also information security in general.  Your organisation’s personnel, if incompetent, poorly trained, or malicious, will be among its biggest information security risks. However, if the above controls are implemented properly and your staff kept well-informed about your information security policies and processes, they can also be your greatest asset in the prevention, detection and correction of information security incidents.