UnixTime

Research Note

A.6 People Controls Audit Guide

1. Select samples across employees, contractors, temporary staff, and third-party users. 2. Compare onboarding dates, agreement dates, screening completion dates, and access pro...

On this page

Auditor lens

Use this page when planning first-party audit tests for personnel security controls.

Audit objectives

Control What to verify Evidence pack
A.6.1 Screening Screening is lawful, risk-based, documented, completed before joining or sensitive access, and applied to personnel in scope A.6.1 Audit Evidence Pack
A.6.2 Terms and Conditions of Employment Security responsibilities are stated in agreements and accepted before work or access; terms stay current when responsibilities change A.6.2 Audit Evidence Pack
A.6.3 Information Security Awareness Education and Training Awareness, education, training, and updates are role-relevant, timely, recorded, and reviewed for effectiveness A.6.3 Audit Evidence Pack
A.6.4 Disciplinary Process Security policy violations trigger a formal, communicated, evidence-based, and proportionate process A.6.4 Audit Evidence Pack
A.6.5 Responsibilities After Termination or Change of Employment Leavers and movers have access removed, assets returned, notifications recorded, and continuing duties communicated A.6.5 Audit Evidence Pack
A.6.6 Confidentiality or Non-Disclosure Agreements NDA/confidentiality needs are identified, signed before access, legally reviewed where needed, and regularly reviewed A.6.6 Audit Evidence Pack
A.6.7 Remote Working Remote working is authorized, risk-assessed, technically controlled, physically considered, and reviewed A.6.7 Audit Evidence Pack
A.6.8 Information Security Event Reporting Personnel know how to report observed or suspected events through timely approved channels A.6.8 Audit Evidence Pack

Audit approach

  1. Select samples across employees, contractors, temporary staff, and third-party users.
  2. Compare onboarding dates, agreement dates, screening completion dates, and access provisioning dates.
  3. Test whether high-risk roles received stronger screening or terms where required.
  4. Interview HR, legal, procurement, hiring managers, and access administrators.
  5. Interview personnel about policy awareness, reporting routes, and role-specific responsibilities.
  6. Sample incidents, leavers, movers, confidentiality agreements, remote workers, and event reports.
  7. Check whether personnel, screening, training, disciplinary, offboarding, remote work, and event records are protected as personal data.
  8. Raise findings where the organization has documents but cannot prove operation.

Common audit challenges

Challenge Audit response
HR says records are confidential Accept controlled inspection, redaction, or evidence sampling, but still verify the control operates
Contractors are managed by procurement Include procurement/vendor management in scope
Screening was performed verbally Ask for dated notes or records; undocumented follow-up is weak evidence
NDA exists but security terms are vague Test broader A.6.2 responsibility coverage
Access was granted before checks Treat as a timing/control-operation gap
Annual training completion is reported as effectiveness Ask for role mapping, assessments, incident trends, feedback, and update records
Disciplinary action is described as confidential Accept controlled sampling, but still verify trigger, evidence, outcome, and closure
Movers are excluded from leaver testing Include movers because stale access often appears after transfer
NDA template exists Test signed agreements, timing before access, legal review, and review status
VPN is shown as the whole remote working control Test endpoint, physical, location, data, asset, and user controls too
No events were reported Treat this as a risk signal unless awareness and interview evidence support it
  • Iso27001
  • ISO27002
  • Auditor guide
  • People controls
  • Internal audit

Note Metadata

Aliases: A.6 Audit Guide

Source: 06 Auditor Guide/A.6 People Controls Audit Guide.md

Graph-sourced resources

Templates and evidence