UnixTime

Research Note

A.6 People Controls Implementation Audit Risk Mapping

- A.6 controls are people-risk treatments. They reduce the chance that the wrong person is trusted or that the right person lacks clear obligations. - A.6 evidence often sits ou...

On this page

How to use this map

Use this as the bridge between implementer tasks, audit tests, ISO/IEC 27002 interpretation, and ISO/IEC 27005 risk thinking.

Control Implementation focus Audit focus ISO 27005 risk link Useful templates
A.6.1 Screening Define lawful, proportional, role-based screening before joining or sensitive access Sample personnel and contractor files; verify timing, independent checks, follow-up, and privacy handling Personnel trust risk, insider misuse, fraud, unauthorized disclosure, excessive PII collection Personnel Screening Register, Background Verification Checklist, A.6.1 Audit Checklist
A.6.2 Terms and Conditions of Employment Embed security responsibilities into employment, contractor, and third-party terms before work/access Sample signed agreements; verify security clauses, confidentiality, timing, role updates, and personnel data responsibilities Responsibility ambiguity, contractual noncompliance, confidentiality breach, weak enforceability Security Terms and Conditions Checklist, Confidentiality Agreement Register, Personnel Security Responsibility Acknowledgement, A.6.2 Audit Checklist
A.6.3 Information Security Awareness Education and Training Define baseline and role-specific training, refresh cycles, update triggers, records, and effectiveness measures Sample training records; verify timing before access, role fit, content currency, interviews, and effectiveness review Human error, social engineering, weak competence, policy nonconformity, and control-operation risk Security Awareness and Training Plan, Role-Based Security Training Matrix, Security Training Record, A.6.3 Audit Checklist
A.6.4 Disciplinary Process Define evidence-based, fair, communicated response to security policy violations Sample incidents and disciplinary triggers; verify criteria, evidence, proportionality, outcome, and closure Policy non-compliance, repeated control bypass, insider behavior, and security culture risk Disciplinary Process Checklist, Policy Violation and Disciplinary Action Register, A.6.4 Audit Checklist
A.6.5 Responsibilities After Termination or Change of Employment Define leaver/mover workflow for access removal, asset return, notifications, and continuing duties Sample leavers and movers; compare event dates with access removal, asset return, notifications, and continuing duty communication Stale access, excessive privilege, asset loss, confidentiality breach, and SoD risk Leaver and Role Change Security Checklist, Post-Employment Security Responsibilities Register, A.6.5 Audit Checklist
A.6.6 Confidentiality or Non-Disclosure Agreements Identify NDA needs and control signing, legal review, register, and review cycles Sample agreements; verify requirement basis, signing before access, enforceability, review status, and exceptions Unauthorized disclosure, weak legal protection, third-party confidentiality, and contractual risk Confidentiality Agreement Register, Confidentiality Agreement Review Checklist, A.6.6 Audit Checklist
A.6.7 Remote Working Define remote work authorization, location/data limits, secure connection, endpoint, physical, and non-work use controls Sample remote workers; verify authorization, device controls, secure connection, asset register, location/data limits, and awareness Off-premises information exposure, endpoint loss, unauthorized viewing, insecure network, and excessive remote access risk Remote Working Authorization Register, Remote Working Security Checklist, Remote Working Risk Assessment, A.6.7 Audit Checklist
A.6.8 Information Security Event Reporting Define reporting channels, examples, forms, no-blame culture, and triage linkage Interview personnel; sample reports; verify reporting channels, event forms, triage, closure, and external notification criteria Delayed detection, under-reporting, incident escalation, root-cause learning, and notification deadline risk Information Security Event Report Form, Information Security Event Reporting Channel Register, A.6.8 Audit Checklist

Mapping notes

  • A.6 controls are people-risk treatments. They reduce the chance that the wrong person is trusted or that the right person lacks clear obligations.
  • A.6 evidence often sits outside the security team. Expect HR, legal, procurement, line management, and vendor management records.
  • Screening and contractual terms must be privacy-aware. A people control can create a privacy nonconformity if evidence is retained or exposed carelessly.
  • Awareness and training should be driven by role risk, incidents, policy changes, and emerging threats rather than treated as annual administration.
  • Leaver/mover controls should be tested with timestamps. “Eventually removed” is not the same as timely access removal.
  • Remote working and event reporting both depend on user behavior. Awareness evidence and interviews matter more than policy text alone.
  • Iso27001
  • Iso27002
  • Iso27005
  • Crosswalk
  • People controls

Note Metadata

Aliases: A.6 Implementation Audit Risk Map

Source: 08 Crosswalks/A.6 People Controls Implementation Audit Risk Mapping.md

Graph-sourced resources

Templates and evidence