UnixTime

Research Note

A.6 People Controls MOC

A.5 is mostly governance and organizational control design. A.6 is about personnel trust and behavior. In an audit, A.6 evidence usually comes from HR, recruitment, line managem...

On this page

Section focus

A.6 controls focus on people-related security risk: who is trusted, what they agree to, how they are trained, how responsibilities are enforced, and how personnel changes are handled.

Covered controls

Control Topic Status Main evidence focus
A.6.1 Screening Background verification before joining and ongoing where justified draft Screening procedure, completed verification records, legal/data protection handling
A.6.2 Terms and Conditions of Employment Security responsibilities in employment and contractual agreements draft Signed terms, confidentiality agreements, role/security responsibility updates
A.6.3 Information Security Awareness Education and Training Awareness, education, training, and policy/procedure updates relevant to job function draft Training matrix, induction records, specialist training, assessment, effectiveness review
A.6.4 Disciplinary Process Formal response to information security policy violations draft Disciplinary criteria, evidence threshold, action records, closure
A.6.5 Responsibilities After Termination or Change of Employment Security duties and access/asset changes after termination or role change draft Leaver/mover records, access removal, asset return, continuing duties
A.6.6 Confidentiality or Non-Disclosure Agreements Confidentiality/NDA needs, signing, review, and enforceability draft NDA register, signed agreements, legal review, review schedule
A.6.7 Remote Working Security measures for information accessed, processed, or stored outside organization premises draft Remote work authorization, risk assessment, device/security controls, awareness
A.6.8 Information Security Event Reporting Timely reporting of observed or suspected information security events draft Reporting channels, event forms, training, event register, triage records

How A.6 differs from A.5

A.5 is mostly governance and organizational control design. A.6 is about personnel trust and behavior. In an audit, A.6 evidence usually comes from HR, recruitment, line management, legal, procurement, and contractor onboarding records, not only the security team.

Templates and working records

  • Iso27001
  • Iso27002
  • Annex a
  • People controls
  • Moc

Note Metadata

Aliases: A.6 People Controls, People Controls MOC

Source: 03 Annex A People Controls/A.6 People Controls MOC.md

Graph-sourced resources

Templates and evidence