How to use this map
Use this as the bridge between implementer tasks, audit tests, ISO/IEC 27002 interpretation, and ISO/IEC 27005 risk thinking.
| Control | Implementation focus | Audit focus | ISO 27005 risk link | Useful templates |
|---|---|---|---|---|
| A.6.1 Screening | Define lawful, proportional, role-based screening before joining or sensitive access | Sample personnel and contractor files; verify timing, independent checks, follow-up, and privacy handling | Personnel trust risk, insider misuse, fraud, unauthorized disclosure, excessive PII collection | Personnel Screening Register, Background Verification Checklist, A.6.1 Audit Checklist |
| A.6.2 Terms and Conditions of Employment | Embed security responsibilities into employment, contractor, and third-party terms before work/access | Sample signed agreements; verify security clauses, confidentiality, timing, role updates, and personnel data responsibilities | Responsibility ambiguity, contractual noncompliance, confidentiality breach, weak enforceability | Security Terms and Conditions Checklist, Confidentiality Agreement Register, Personnel Security Responsibility Acknowledgement, A.6.2 Audit Checklist |
| A.6.3 Information Security Awareness Education and Training | Define baseline and role-specific training, refresh cycles, update triggers, records, and effectiveness measures | Sample training records; verify timing before access, role fit, content currency, interviews, and effectiveness review | Human error, social engineering, weak competence, policy nonconformity, and control-operation risk | Security Awareness and Training Plan, Role-Based Security Training Matrix, Security Training Record, A.6.3 Audit Checklist |
| A.6.4 Disciplinary Process | Define evidence-based, fair, communicated response to security policy violations | Sample incidents and disciplinary triggers; verify criteria, evidence, proportionality, outcome, and closure | Policy non-compliance, repeated control bypass, insider behavior, and security culture risk | Disciplinary Process Checklist, Policy Violation and Disciplinary Action Register, A.6.4 Audit Checklist |
| A.6.5 Responsibilities After Termination or Change of Employment | Define leaver/mover workflow for access removal, asset return, notifications, and continuing duties | Sample leavers and movers; compare event dates with access removal, asset return, notifications, and continuing duty communication | Stale access, excessive privilege, asset loss, confidentiality breach, and SoD risk | Leaver and Role Change Security Checklist, Post-Employment Security Responsibilities Register, A.6.5 Audit Checklist |
| A.6.6 Confidentiality or Non-Disclosure Agreements | Identify NDA needs and control signing, legal review, register, and review cycles | Sample agreements; verify requirement basis, signing before access, enforceability, review status, and exceptions | Unauthorized disclosure, weak legal protection, third-party confidentiality, and contractual risk | Confidentiality Agreement Register, Confidentiality Agreement Review Checklist, A.6.6 Audit Checklist |
| A.6.7 Remote Working | Define remote work authorization, location/data limits, secure connection, endpoint, physical, and non-work use controls | Sample remote workers; verify authorization, device controls, secure connection, asset register, location/data limits, and awareness | Off-premises information exposure, endpoint loss, unauthorized viewing, insecure network, and excessive remote access risk | Remote Working Authorization Register, Remote Working Security Checklist, Remote Working Risk Assessment, A.6.7 Audit Checklist |
| A.6.8 Information Security Event Reporting | Define reporting channels, examples, forms, no-blame culture, and triage linkage | Interview personnel; sample reports; verify reporting channels, event forms, triage, closure, and external notification criteria | Delayed detection, under-reporting, incident escalation, root-cause learning, and notification deadline risk | Information Security Event Report Form, Information Security Event Reporting Channel Register, A.6.8 Audit Checklist |
Mapping notes
- A.6 controls are people-risk treatments. They reduce the chance that the wrong person is trusted or that the right person lacks clear obligations.
- A.6 evidence often sits outside the security team. Expect HR, legal, procurement, line management, and vendor management records.
- Screening and contractual terms must be privacy-aware. A people control can create a privacy nonconformity if evidence is retained or exposed carelessly.
- Awareness and training should be driven by role risk, incidents, policy changes, and emerging threats rather than treated as annual administration.
- Leaver/mover controls should be tested with timestamps. “Eventually removed” is not the same as timely access removal.
- Remote working and event reporting both depend on user behavior. Awareness evidence and interviews matter more than policy text alone.
Related guides
- Iso27001
- Iso27002
- Iso27005
- Crosswalk
- People controls
Note Metadata
Aliases: A.6 Implementation Audit Risk Map
Source: 08 Crosswalks/A.6 People Controls Implementation Audit Risk Mapping.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.6.1 - Screening
- ISO 27001 A.6.2 - Terms and Conditions of Employment
- ISO 27001 A.6.3 - Information Security Awareness, Education and Training
- ISO 27001 A.6.4 - Disciplinary Process
- ISO 27001 A.6.5 - Responsibilities After Termination or Change of Employment
- ISO 27001 A.6.6 - Confidentiality or Non-Disclosure Agreements
- ISO 27001 A.6.7 - Remote Working
- ISO 27001 A.6.8 - Information Security Event Reporting
- A.6 People Controls MOC
- A.6 People Controls Implementation Guide
- ISO 27001 Implementer Guide
- ISO 27001 Auditor Guide
- ISO 27005 Risk Management Guide
- ISO 27001 Implementer Auditor ISO 27005 Mapping
- ISO 27002 Annex A Control Interpretation Map
- ISO 27005 Knowledge Base
- GRC Knowledge Model
- A.6.1 Audit Checklist
- A.6.2 Audit Checklist
- A.6.3 Audit Checklist
- A.6.4 Audit Checklist
- A.6.5 Audit Checklist
- A.6.6 Audit Checklist
- A.6.7 Audit Checklist
- A.6.8 Audit Checklist
- Background Verification Checklist
- Confidentiality Agreement Register
- Confidentiality Agreement Review Checklist
- Disciplinary Process Checklist
- Information Security Event Report Form
- Information Security Event Reporting Channel Register
- Leaver and Role Change Security Checklist
- Personnel Screening Register
- Personnel Security Responsibility Acknowledgement
- Policy Violation and Disciplinary Action Register
- Post-Employment Security Responsibilities Register
- Remote Working Authorization Register
- Remote Working Risk Assessment
- Remote Working Security Checklist
- Role-Based Security Training Matrix
- Security Awareness and Training Plan
- Security Terms and Conditions Checklist
- Security Training Record
- Annex A Controls MOC
- ISO 27001 Overview
- Templates MOC