Section focus
A.6 controls focus on people-related security risk: who is trusted, what they agree to, how they are trained, how responsibilities are enforced, and how personnel changes are handled.
Covered controls
| Control | Topic | Status | Main evidence focus |
|---|---|---|---|
| A.6.1 Screening | Background verification before joining and ongoing where justified | draft | Screening procedure, completed verification records, legal/data protection handling |
| A.6.2 Terms and Conditions of Employment | Security responsibilities in employment and contractual agreements | draft | Signed terms, confidentiality agreements, role/security responsibility updates |
| A.6.3 Information Security Awareness Education and Training | Awareness, education, training, and policy/procedure updates relevant to job function | draft | Training matrix, induction records, specialist training, assessment, effectiveness review |
| A.6.4 Disciplinary Process | Formal response to information security policy violations | draft | Disciplinary criteria, evidence threshold, action records, closure |
| A.6.5 Responsibilities After Termination or Change of Employment | Security duties and access/asset changes after termination or role change | draft | Leaver/mover records, access removal, asset return, continuing duties |
| A.6.6 Confidentiality or Non-Disclosure Agreements | Confidentiality/NDA needs, signing, review, and enforceability | draft | NDA register, signed agreements, legal review, review schedule |
| A.6.7 Remote Working | Security measures for information accessed, processed, or stored outside organization premises | draft | Remote work authorization, risk assessment, device/security controls, awareness |
| A.6.8 Information Security Event Reporting | Timely reporting of observed or suspected information security events | draft | Reporting channels, event forms, training, event register, triage records |
How A.6 differs from A.5
A.5 is mostly governance and organizational control design. A.6 is about personnel trust and behavior. In an audit, A.6 evidence usually comes from HR, recruitment, line management, legal, procurement, and contractor onboarding records, not only the security team.
Related concepts
- Risk Assessment
- Statement of Applicability
- Internal Audit
- Management Review
- Roles and Responsibilities
- A.5.31 Legal, Statutory, Regulatory and Contractual Requirements
- A.5.34 Privacy and Protection of PII
- ISO 27002 Annex A Control Interpretation Map
- A.6 People Controls Implementation Audit Risk Mapping
Templates and working records
- Personnel Screening Register
- Background Verification Checklist
- Security Terms and Conditions Checklist
- Confidentiality Agreement Register
- Personnel Security Responsibility Acknowledgement
- Security Awareness and Training Plan
- Role-Based Security Training Matrix
- Security Training Record
- Disciplinary Process Checklist
- Policy Violation and Disciplinary Action Register
- Leaver and Role Change Security Checklist
- Post-Employment Security Responsibilities Register
- Confidentiality Agreement Review Checklist
- Remote Working Authorization Register
- Remote Working Security Checklist
- Remote Working Risk Assessment
- Information Security Event Report Form
- Information Security Event Reporting Channel Register
- A.6.1 Audit Checklist
- A.6.2 Audit Checklist
- A.6.3 Audit Checklist
- A.6.4 Audit Checklist
- A.6.5 Audit Checklist
- A.6.6 Audit Checklist
- A.6.7 Audit Checklist
- A.6.8 Audit Checklist
- Iso27001
- Iso27002
- Annex a
- People controls
- Moc
Note Metadata
Aliases: A.6 People Controls, People Controls MOC
Source: 03 Annex A People Controls/A.6 People Controls MOC.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Internal Audit
- Management Review
- Risk Assessment
- Roles and Responsibilities
- Statement of Applicability
- ISO 27001 A.5.31 - Legal, Statutory, Regulatory and Contractual Requirements
- ISO 27001 A.5.34 - Privacy and Protection of PII
- ISO 27001 A.6.1 - Screening
- ISO 27001 A.6.2 - Terms and Conditions of Employment
- ISO 27001 A.6.3 - Information Security Awareness, Education and Training
- ISO 27001 A.6.4 - Disciplinary Process
- ISO 27001 A.6.5 - Responsibilities After Termination or Change of Employment
- ISO 27001 A.6.6 - Confidentiality or Non-Disclosure Agreements
- ISO 27001 A.6.7 - Remote Working
- ISO 27001 A.6.8 - Information Security Event Reporting
- A.6 People Controls Implementation Guide
- ISO 27001 Implementer Guide
- ISO27001-A.6.1 Screening
- ISO27001-A.6.2 Terms and Conditions of Employment
- ISO27001-A.6.3 Information Security Awareness, Education and Training
- A.6 People Controls Implementation Audit Risk Mapping
- ISO 27001 Implementer Auditor ISO 27005 Mapping
- ISO 27002 Annex A Control Interpretation Map
- A.6.1 Audit Checklist
- A.6.2 Audit Checklist
- A.6.3 Audit Checklist
- A.6.4 Audit Checklist
- A.6.5 Audit Checklist
- A.6.6 Audit Checklist
- A.6.7 Audit Checklist
- A.6.8 Audit Checklist
- Background Verification Checklist
- Confidentiality Agreement Register
- Confidentiality Agreement Review Checklist
- Disciplinary Process Checklist
- Information Security Event Report Form
- Information Security Event Reporting Channel Register
- Leaver and Role Change Security Checklist
- Personnel Screening Register
- Personnel Security Responsibility Acknowledgement
- Policy Violation and Disciplinary Action Register
- Post-Employment Security Responsibilities Register
- Remote Working Authorization Register
- Remote Working Risk Assessment
- Remote Working Security Checklist
- Role-Based Security Training Matrix
- Security Awareness and Training Plan
- Security Terms and Conditions Checklist
- Security Training Record
- Annex A Controls MOC
- ISO 27001 Overview