UnixTime

Domain guide

What this domain covers

A.6 controls for screening, employment terms, awareness, disciplinary process, termination, confidentiality, remote work, and reporting.

42 resources

Guide + resources

Grouped resources

Guide notes

Implementation context, reference notes, and explanatory material.

8 items
Research note 01 min read

AQ-ISO27001-A.6.1 Screening

Audit question set for ISO27001-A.6.1. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.6.2 Terms and Conditions of Employment

Audit question set for ISO27001-A.6.2. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.6.4 Disciplinary Process

Audit question set for ISO27001-A.6.4. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.6.7 Remote Working

Audit question set for ISO27001-A.6.7. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.6.8 Information Security Event Reporting

Audit question set for ISO27001-A.6.8. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question

Controls

Control-level notes and control-domain references.

17 items
Framework note 02 mins read

A.6 People Controls MOC

A.5 is mostly governance and organizational control design. A.6 is about personnel trust and behavior. In an audit, A.6 evidence usually comes from HR, recruitment, line managem...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.6.1 - Screening

The organization should check that people are who they claim to be, have the relevant background for the role, and do not present unmanaged personnel risk before they join or re...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.6.2 - Terms and Conditions of Employment

People should not have to guess what they are responsible for. Employment contracts, contractor agreements, confidentiality agreements, onboarding acknowledgements, or security...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.6.4 - Disciplinary Process

The organization needs a documented and communicated process for handling information security policy violations. People should know that violations can lead to action, and mana...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.6.6 - Confidentiality or Non-Disclosure Agreements

The organization should know when confidentiality or non-disclosure agreements are needed, use terms that match its information-protection needs, keep those agreements legally u...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.6.7 - Remote Working

When people work away from organization premises, the organization still has to protect information. That includes homes, hotels, coffee shops, customer sites, temporary offices...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.6.8 - Information Security Event Reporting

People need to know what might be a security event, how to report it, who to report it to, and what not to do. Reporting should be fast, simple, and no-blame enough that people...

ISO27001 ISO27002 iso27001 iso27002
Framework note 01 min read

ISO27001-A.6.1 Screening

The organization should check that people are who they claim to be, have the relevant background for the role, and do not present unmanaged personnel risk before they join or receive access.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.6.2 Terms and Conditions of Employment

People should not have to guess what they are responsible for. Employment contracts, contractor agreements, confidentiality agreements, onboarding acknowledgements, or security responsibility addenda should clearly state what personnel must do to protect information and what the organization is responsible for.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.6.3 Information Security Awareness, Education and Training

People need to know how to behave securely in their actual role. Everyone needs baseline awareness, but people with specific responsibilities need deeper training that matches their work, systems, information access, and security duties.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.6.4 Disciplinary Process

The organization needs a documented and communicated process for handling information security policy violations. People should know that violations can lead to action, and managers should know how to trigger the process fairly and consistently.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.6.5 Responsibilities After Termination or Change of Employment

When someone leaves the organization or changes role, their old access, assets, and responsibilities must be handled deliberately. Some rights should stop immediately. Some duties, such as confidentiality, may continue after the relationship ends.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.6.6 Confidentiality or Non-Disclosure Agreements

The organization should know when confidentiality or non-disclosure agreements are needed, use terms that match its information-protection needs, keep those agreements legally usable, review them regularly, and make sure the right parties sign them before receiving confidential information.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.6.7 Remote Working

When people work away from organization premises, the organization still has to protect information. That includes homes, hotels, coffee shops, customer sites, temporary offices, shared workspaces, and other remote locations.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.6.8 Information Security Event Reporting

People need to know what might be a security event, how to report it, who to report it to, and what not to do. Reporting should be fast, simple, and no-blame enough that people do not hide mistakes.

ISO27001 ISO27002 iso27001 annex_a

Evidence packs

Audit evidence packs, registers, proof records, and evidence examples.

8 items
Template note 02 mins read

A.6.1 Audit Evidence Pack

The auditor wants evidence that background verification checks are defined, applied, documented, and protected as personal data.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.6.2 Audit Evidence Pack

The auditor wants evidence that security responsibilities are defined, accepted, role-appropriate, current, and applicable to employees, contractors, and third-party users in sc...

ISO27001 ISO27002 audit evidence
Template note 03 mins read

A.6.3 Audit Evidence Pack

The auditor wants evidence that training is role-relevant, current, recorded, repeated where needed, and improved based on effectiveness feedback.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.6.4 Audit Evidence Pack

The auditor wants evidence that the organization can respond fairly and consistently when personnel or relevant interested parties violate information security policy.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.6.5 Audit Evidence Pack

The auditor wants proof that old access and assets are removed, relevant parties are notified, and continuing duties are communicated after termination or role change.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.6.6 Audit Evidence Pack

The auditor wants evidence that agreements reflect actual confidentiality requirements and are legally usable where needed.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.6.7 Audit Evidence Pack

The auditor wants evidence that information remains protected when accessed, processed, or stored outside organization premises.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.6.8 Audit Evidence Pack

The auditor wants proof that reporting channels are known, usable, timely, and connected to event assessment and incident management.

ISO27001 ISO27002 audit evidence

Templates

Reusable implementation, audit, and operational templates.

8 items
Template note 01 min read

A.6.1 Audit Checklist

- Confirm the organization has a documented screening procedure. - Confirm screening applies to employees, contractors, temporary staff, and third-party users in ISMS scope. - C...

ISO27001 ISO27002 template audit
Template note 01 min read

A.6.2 Audit Checklist

Use this checklist during an internal audit of employment, contractor, and third-party security responsibility terms.

ISO27001 ISO27002 template audit
Template note 01 min read

A.6.3 Audit Checklist

Use this checklist during an internal audit of information security awareness, education, training, and update processes.

ISO27001 ISO27002 template audit
Template note 01 min read

A.6.4 Audit Checklist

Use this checklist during an internal audit of disciplinary handling for information security policy violations.

ISO27001 ISO27002 template audit
Template note 01 min read

A.6.5 Audit Checklist

Use this checklist during an internal audit of leaver, mover, contractor offboarding, and continuing responsibility controls.

ISO27001 ISO27002 template audit
Template note 01 min read

A.6.6 Audit Checklist

Use this checklist during an internal audit of confidentiality and non-disclosure agreement controls.

ISO27001 ISO27002 template audit
Template note 01 min read

A.6.7 Audit Checklist

- Confirm remote working policy and procedures exist. - Confirm authorized remote workers, locations, activities, data, and controls are recorded. - Check remote working risk as...

ISO27001 ISO27002 template audit
Template note 01 min read

A.6.8 Audit Checklist

Use this checklist during an internal audit of information security event reporting.

ISO27001 ISO27002 template audit

Crosswalks

Mappings across controls, risks, standards, and assurance views.

1 item
Framework note 03 mins read

A.6 People Controls Implementation Audit Risk Mapping

- A.6 controls are people-risk treatments. They reduce the chance that the wrong person is trusted or that the right person lacks clear obligations. - A.6 evidence often sits ou...

ISO27001 ISO27002 iso27001 iso27005

Deep links

Link to this domain with /research/iso27001/annex-a-people-controls/ . Link directly to exact notes from any resource card above.