Personnel Screening – Verification (6.1)
The control states that an information security management system requires a personnel screening policy for all new, promoted, or transferred employees, including consultants and temporary staff. The objective is to ensure that employees are competent and trustworthy. The policy must take into account both local laws and regulations as well as the role of the new employee, ensuring that the level of control is sufficient but not disproportionate. Some roles within an organization may require a higher level of screening, for example, if employees will handle confidential information. For roles specifically related to information security, screening must also include the required competencies and reliability, and this must be documented accordingly.
Terms and Conditions of Employment (6.2)
The control states that, before starting work, the employee must be aware of the organization’s information security policy, including their information security roles and responsibilities. This may be communicated through a signed code of conduct or a similar method. Employment contracts must also include the organization’s information security responsibilities, including a confidentiality agreement if the employee will have access to confidential information.
This control aims to ensure that information security is understood as an integral part of the employee’s role from day one.
Information Security Awareness, Education and Training (6.3)
This control states that employees need information security training aligned with their responsibilities when they join the organization or change roles. Long‑standing staff also need their awareness maintained through periodic training and communication. Training must be relevant to the role. For many employees, this will include basic aspects such as reminders about password security and social engineering attacks. For technical staff or those handling confidential material, deeper training will be required for their specific role.
Disciplinary Process (6.4)
The control states that a documented disciplinary process must exist, with clear rules to be applied after a confirmed violation of the information security policy. The disciplinary procedure must be proportionate and graduated, with actions depending on the severity of the incident, the intent, whether it is a repeated offense, and—most importantly—whether the employee has received adequate training. Many recorded security incidents will result from policy violations and should lead to disciplinary measures. It is important to remember this because staff may avoid reporting security incidents out of fear of disciplinary action; therefore, the procedure must not discourage incident reporting due to fear of unjustified reprisals.
Responsibilities After Termination or Change of Employment (6.5)
The control states that information security responsibilities do not end when employment changes or is terminated. Employment terms must include confidentiality agreements requiring the employee to respect the confidentiality of information after leaving the organization. When an employee leaves, information security roles may also be left vacant. To maintain security continuity, management must identify these roles so they can be reassigned.
Confidentiality or Non‑Disclosure Agreements (6.6)
The control states that if the confidentiality level of the information is high enough, it may be necessary to protect it through legally binding terms. In such cases, confidentiality agreements can be used to define the information covered, the responsibilities of all parties, the duration of the agreement, and the penalties for non‑compliance. These agreements protect information from disclosure after the employee has left the organization for a defined period.
Remote Working (6.7)
The control states that, since remote work has become common practice in many organizations—providing greater flexibility for both organizations and employees—it has implications for information security that must be considered and documented. The remote working policy must specify where and when remote work is permitted, the provision of devices and equipment, authorized access, and which information may be accessed remotely. Policies governing the use of untrusted networks and the risk that friends, family, or strangers may overhear or see confidential information in uncontrolled environments are particularly important.
Information Security Incident Reporting (6.8)
This control states that employees sometimes encounter information security incidents during their daily work. Incidents may include human errors, confidentiality breaches, malfunctions, suspected malware infections, and violations of the information security policy or the law. The first step in identifying, resolving, and preventing incidents from recurring is reporting. Therefore, employees need clear and accessible reporting channels and must be aware of their existence.
Early reporting is essential for detecting, managing, and preventing incidents, and it should be encouraged through awareness and an organizational culture that values transparency.
Physical Security Perimeter (7.1)
The control states that the first step in protecting a physical space that houses critical information and assets is defining its perimeter. Sensitive or critical areas within the perimeter can then be identified. The perimeter must be physically secure enough to protect its contents, for example, through alarms and intrusion detection systems. If necessary, a staffed reception area can be used to control access.
Physical Entry Controls (7.2)
This control states that physical access to facilities and restricted areas must be limited to authorized individuals only—that is, only authorized persons should be able to access the organization’s assets and the information that must be protected. The level of restriction depends on the organization’s requirements. Personal identification and logging of individuals entering the facilities must be considered. A visitor procedure must be in place to verify their identity, define where they may go, and determine whether they must be escorted. Deliveries also pose a risk, both because delivery areas must be secured and because delivery personnel must be prevented from entering restricted zones.
Securing Offices, Rooms and Facilities (7.3)
The control states that offices must be secured with physical or digital locks. In general, directories and detailed maps should not be openly accessible, as they may reveal the location of sensitive assets.
Physical Security Monitoring (7.4)
This control states that monitoring can deter intruders and detect intrusions. Guards, cameras, and alarms monitor unauthorized access. The design of any monitoring system must be considered confidential. Regular testing is necessary to ensure the system works properly. Camera surveillance systems and other monitoring systems that collect personal information or can be used to track individuals may require special consideration under data protection laws. For example, camera surveillance may require a data protection impact assessment under GDPR legislation.
Protection Against Physical and Environmental Threats (7.5)
The control states that natural or man‑made disasters and physical attacks threaten assets, information security, and business continuity. The level of these risks depends largely on location. Floods, fires, and major storms are the most likely risks, but the risk of earthquakes, civil unrest, and terrorist attacks may also be considered in risk assessments. Protective measures must be based on risk assessments that take into account the location and operational context.
Working in Secure Areas (7.6)
The control states that the existence and purpose of secure environments should only be shared when necessary. They must remain locked, and access must be limited to authorized individuals. Working alone should generally be discouraged for both safety and security reasons.
Clear Desk and Clear Screen Policy (7.7)
The control states that anyone can access confidential information left on desks, screens, printers, and boards. A clear desk and clear screen policy defines how and where information may be accessed. A basic policy includes not leaving printed documents unattended—neither at workstations nor at printers (clear desk), locking device screens (clear screen), and erasing boards after meetings. In some cases, more detailed policies may be required for sensitive information, for example, ensuring that information cannot be viewed on a screen in an open environment.
Equipment Siting and Protection (7.8)
The control states that careful selection of equipment location can minimize a range of risks: not only unauthorized access, but also risks due to environmental factors, food and drink spills, vandalism, and degradation caused by light or humidity. The required protection will depend on the sensitivity of the equipment.
Security of External Assets (7.9)
The control states that devices, including personal ones (bring‑your‑own‑device), still require protection when taken off‑site. Basic measures include appropriate physical protection such as cases and theft prevention by not leaving devices unattended. The organization must be aware of which devices are used off‑site, who uses them, and what information is accessed or processed when they are outside the premises. Implementing controls to prevent information leakage on these devices, installing malicious applications, monitoring, and enabling remote wiping when necessary must be done while ensuring employees are aware of and authorize the use of such tools.
Storage Media (7.10)
This control states that information stored on any type of media carries the risk of unauthorized access and loss of integrity through modification, degradation, loss, destruction, or deletion. Storage media must therefore be managed securely throughout their lifecycle. Policies governing removable media must cover what information may be stored on them, the logging and tracking of such media, how they must be securely stored to prevent unauthorized access or degradation, and how they must be transported. When storage is no longer needed, secure destruction is required. This may be performed by an external party.Supporting Utilities (7.11)
This control states that power outages can immediately compromise business operations. Less obviously, telecommunications and air conditioning failures will disrupt digital activities, and failures in gas, sewage, or water supply will prevent employees from working on‑site. Inspection and alarm systems can identify actual or potential failures. Continuity plans must identify detection mechanisms, alternative options, and emergency contact details for service providers.Cabling Security (7.12)
Information and data are transferred through cables, while computers, security systems, and environmental controls require power supplied through wiring. The former can be intercepted, and interruptions to either can compromise information security and business continuity. This control states that the required level of security depends on the organization and, in many cases, will be managed by building facilities providers or telecommunications and utility companies. Basic protections include using secure conduits or cable ducts, floor cable covers to prevent damage, interference, or interception, and securing access points and utility entry points.Equipment Maintenance (7.13)
The control states that equipment maintenance introduces two information security considerations: poorly maintained equipment risks data loss, while inspection or maintenance may expose information to external or unauthorized parties. Regularly inspected and updated equipment is less likely to require riskier repairs or cause service interruptions. When repairs are required, care must be taken in selecting service providers, ensuring access is controlled, and verifying the work performed to avoid unnecessary exposure.Secure Disposal or Re‑use of Equipment (7.14)
The control states that servers, PCs, storage systems, and any device no longer in use may contain licensed software or store sensitive data, including organizational information or configuration details. This also applies to equipment requiring repair and must be considered when deciding whether to use external repair services. Standard deletion functions may not be sufficient to remove sensitive information. Instead, specialized destruction, wiping, or overwriting methods reduce the risk of residual information remaining on storage media. Physical labels or markings that may reveal information must also be removed. References
ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, https://www.iso.org/standard/75652.html
ISO/IEC 27002:2013, Information technology — Security techniques — Code of practice for information security controls, https://www.iso.org/standard/54533.html
