Auditor lens
Use this page when planning first-party audit tests for personnel security controls.
Audit objectives
| Control | What to verify | Evidence pack |
|---|---|---|
| A.6.1 Screening | Screening is lawful, risk-based, documented, completed before joining or sensitive access, and applied to personnel in scope | A.6.1 Audit Evidence Pack |
| A.6.2 Terms and Conditions of Employment | Security responsibilities are stated in agreements and accepted before work or access; terms stay current when responsibilities change | A.6.2 Audit Evidence Pack |
| A.6.3 Information Security Awareness Education and Training | Awareness, education, training, and updates are role-relevant, timely, recorded, and reviewed for effectiveness | A.6.3 Audit Evidence Pack |
| A.6.4 Disciplinary Process | Security policy violations trigger a formal, communicated, evidence-based, and proportionate process | A.6.4 Audit Evidence Pack |
| A.6.5 Responsibilities After Termination or Change of Employment | Leavers and movers have access removed, assets returned, notifications recorded, and continuing duties communicated | A.6.5 Audit Evidence Pack |
| A.6.6 Confidentiality or Non-Disclosure Agreements | NDA/confidentiality needs are identified, signed before access, legally reviewed where needed, and regularly reviewed | A.6.6 Audit Evidence Pack |
| A.6.7 Remote Working | Remote working is authorized, risk-assessed, technically controlled, physically considered, and reviewed | A.6.7 Audit Evidence Pack |
| A.6.8 Information Security Event Reporting | Personnel know how to report observed or suspected events through timely approved channels | A.6.8 Audit Evidence Pack |
Audit approach
- Select samples across employees, contractors, temporary staff, and third-party users.
- Compare onboarding dates, agreement dates, screening completion dates, and access provisioning dates.
- Test whether high-risk roles received stronger screening or terms where required.
- Interview HR, legal, procurement, hiring managers, and access administrators.
- Interview personnel about policy awareness, reporting routes, and role-specific responsibilities.
- Sample incidents, leavers, movers, confidentiality agreements, remote workers, and event reports.
- Check whether personnel, screening, training, disciplinary, offboarding, remote work, and event records are protected as personal data.
- Raise findings where the organization has documents but cannot prove operation.
Common audit challenges
| Challenge | Audit response |
|---|---|
| HR says records are confidential | Accept controlled inspection, redaction, or evidence sampling, but still verify the control operates |
| Contractors are managed by procurement | Include procurement/vendor management in scope |
| Screening was performed verbally | Ask for dated notes or records; undocumented follow-up is weak evidence |
| NDA exists but security terms are vague | Test broader A.6.2 responsibility coverage |
| Access was granted before checks | Treat as a timing/control-operation gap |
| Annual training completion is reported as effectiveness | Ask for role mapping, assessments, incident trends, feedback, and update records |
| Disciplinary action is described as confidential | Accept controlled sampling, but still verify trigger, evidence, outcome, and closure |
| Movers are excluded from leaver testing | Include movers because stale access often appears after transfer |
| NDA template exists | Test signed agreements, timing before access, legal review, and review status |
| VPN is shown as the whole remote working control | Test endpoint, physical, location, data, asset, and user controls too |
| No events were reported | Treat this as a risk signal unless awareness and interview evidence support it |
Related templates
- A.6.1 Audit Checklist
- A.6.2 Audit Checklist
- A.6.3 Audit Checklist
- A.6.4 Audit Checklist
- A.6.5 Audit Checklist
- A.6.6 Audit Checklist
- A.6.7 Audit Checklist
- A.6.8 Audit Checklist
- Personnel Screening Register
- Confidentiality Agreement Register
- Security Awareness and Training Plan
- Leaver and Role Change Security Checklist
- Remote Working Authorization Register
- Information Security Event Reporting Channel Register
- Corrective Action Tracker
- Iso27001
- ISO27002
- Auditor guide
- People controls
- Internal audit
Note Metadata
Aliases: A.6 Audit Guide
Source: 06 Auditor Guide/A.6 People Controls Audit Guide.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
- A.6.1 Audit Checklist
- A.6.1 Audit Evidence Pack
- A.6.2 Audit Checklist
- A.6.2 Audit Evidence Pack
- A.6.3 Audit Checklist
- A.6.3 Audit Evidence Pack
- A.6.4 Audit Checklist
- A.6.4 Audit Evidence Pack
- A.6.5 Audit Checklist
- A.6.5 Audit Evidence Pack
- A.6.6 Audit Checklist
- A.6.6 Audit Evidence Pack
- A.6.7 Audit Checklist
- A.6.7 Audit Evidence Pack
- A.6.8 Audit Checklist
- A.6.8 Audit Evidence Pack
- Template - Corrective Action Tracker
Related Notes
- ISO 27001 A.6.1 - Screening
- ISO 27001 A.6.2 - Terms and Conditions of Employment
- ISO 27001 A.6.3 - Information Security Awareness, Education and Training
- ISO 27001 A.6.4 - Disciplinary Process
- ISO 27001 A.6.5 - Responsibilities After Termination or Change of Employment
- ISO 27001 A.6.6 - Confidentiality or Non-Disclosure Agreements
- ISO 27001 A.6.7 - Remote Working
- ISO 27001 A.6.8 - Information Security Event Reporting
- A.6.1 Audit Evidence Pack
- A.6.2 Audit Evidence Pack
- A.6.3 Audit Evidence Pack
- A.6.4 Audit Evidence Pack
- A.6.5 Audit Evidence Pack
- A.6.6 Audit Evidence Pack
- A.6.7 Audit Evidence Pack
- A.6.8 Audit Evidence Pack
- AQ-ISO27001-A.6.1 Screening
- AQ-ISO27001-A.6.2 Terms and Conditions of Employment
- AQ-ISO27001-A.6.3 Information Security Awareness, Education and Training
- AQ-ISO27001-A.6.4 Disciplinary Process
- AQ-ISO27001-A.6.5 Responsibilities After Termination or Change of Employment
- AQ-ISO27001-A.6.6 Confidentiality or Non-Disclosure Agreements
- AQ-ISO27001-A.6.7 Remote Working
- AQ-ISO27001-A.6.8 Information Security Event Reporting
- ISO 27001 Auditor Guide
- A.6.1 Audit Checklist
- A.6.2 Audit Checklist
- A.6.3 Audit Checklist
- A.6.4 Audit Checklist
- A.6.5 Audit Checklist
- A.6.6 Audit Checklist
- A.6.7 Audit Checklist
- A.6.8 Audit Checklist
- Confidentiality Agreement Register
- Template - Corrective Action Tracker
- Information Security Event Reporting Channel Register
- Leaver and Role Change Security Checklist
- Personnel Screening Register
- Remote Working Authorization Register
- Security Awareness and Training Plan
- Annex A Controls MOC
- Audit Evidence Index
- ISO 27001 Overview