What the auditor wants to verify
Audit objective
Verify that disciplinary action for information security policy violations is formalized, communicated, evidence-based, proportionate, and consistently followed.
The auditor wants evidence that the organization can respond fairly and consistently when personnel or relevant interested parties violate information security policy.
Evidence to request
| Evidence | Purpose |
|---|---|
| Disciplinary process | Shows formal process exists |
| Security policy compliance clause | Shows control breaches are policy breaches |
| Awareness/onboarding records | Shows the process and consequences were communicated |
| Disciplinary criteria | Shows action triggers and severity considerations |
| Incident and policy violation records | Shows potential triggers are identified |
| Case files or action records | Shows process operation |
| Evidence review records | Shows action was based on sufficient evidence |
| Closure and follow-up records | Shows actions were completed |
| Contractor or third-party breach procedure | Shows non-employee violations have a route |
Strong evidence
Strong evidence test
Prefer sampled records that show trigger, evidence, decision, proportionality, outcome, and closure.
- Process is documented, approved, and communicated.
- Criteria define when disciplinary action is considered.
- Cases start only after sufficient evidence of violation.
- Outcomes are proportionate to intent, impact, role, and history.
- Similar cases are handled consistently.
- Follow-up action is tracked to closure.
- Third-party violations are handled through contract, procurement, or vendor-management routes.
Weak evidence
Weak evidence warning
Weak evidence usually proves HR has a process, not that security policy violations are handled properly.
- Generic HR procedure with no security-policy link.
- Informal manager action without records.
- Incident criteria met but no disciplinary review occurred.
- Action taken without evidence threshold.
- No closure record.
- Contractors or third parties excluded.
- Personnel are unaware of consequences.
Sample interview questions
Ask HR or legal
- How does the disciplinary process handle information security policy violations?
- What evidence is required before the process starts?
- How is proportionality determined?
- How are similar cases handled consistently?
Ask security or managers
- When does a security incident trigger disciplinary review?
- How do you preserve evidence before referring a case?
- How are follow-up actions tracked?
Ask personnel
- Are you aware that information security policy violations can lead to action?
- Where is the process or consequence explained?
Common nonconformities
- No formal disciplinary process for security violations.
- Process not communicated to personnel.
- No evidence threshold before action.
- Inconsistent treatment of similar cases.
- Criteria met but process not initiated.
- Follow-up actions not completed.
- Third-party violations not covered.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A6 4
Note Metadata
Aliases: A.6.4 Evidence
Source: 04 Audit Evidence Packs/A.6.4 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.36 - Compliance with Policies, Rules and Standards for Information Security
- ISO 27001 A.6.4 - Disciplinary Process
- Audit Evidence MOC
- AQ-ISO27001-A.6.4 Disciplinary Process
- A.6 People Controls Audit Guide
- ISO27001-A.6.4 Disciplinary Process
- A.6.4 Audit Checklist
- Disciplinary Process Checklist
- Policy Violation and Disciplinary Action Register
- Audit Evidence Index