The control states that an information security management system requires a personnel screening policy for all new, promoted, or transferred employees, including consultants and temporary staff. The objective is to ensure that employees are competent and trustworthy. The policy must take into account both local laws and regulations as well as the role of the new employee, ensuring that the level of control is sufficient but not disproportionate. Some roles within an organization may require a higher level of screening, for example, if employees will handle confidential information. For roles specifically related to information security, screening must also include the required competencies and reliability, and this must be documented accordingly.
The control states that, before starting work, the employee must be aware of the organization’s information security policy, including their information security roles and responsibilities. This may be communicated through a signed code of conduct or a similar method. Employment contracts must also include the organization’s information security responsibilities, including a confidentiality agreement if the employee will have access to confidential information.
This control aims to ensure that information security is understood as an integral part of the employee’s role from day one.
This control states that employees need information security training aligned with their responsibilities when they join the organization or change roles. Long‑standing staff also need their awareness maintained through periodic training and communication. Training must be relevant to the role. For many employees, this will include basic aspects such as reminders about password security and social engineering attacks. For technical staff or those handling confidential material, deeper training will be required for their specific role.
The control states that a documented disciplinary process must exist, with clear rules to be applied after a confirmed violation of the information security policy. The disciplinary procedure must be proportionate and graduated, with actions depending on the severity of the incident, the intent, whether it is a repeated offense, and—most importantly—whether the employee has received adequate training. Many recorded security incidents will result from policy violations and should lead to disciplinary measures. It is important to remember this because staff may avoid reporting security incidents out of fear of disciplinary action; therefore, the procedure must not discourage incident reporting due to fear of unjustified reprisals.
The control states that information security responsibilities do not end when employment changes or is terminated. Employment terms must include confidentiality agreements requiring the employee to respect the confidentiality of information after leaving the organization. When an employee leaves, information security roles may also be left vacant. To maintain security continuity, management must identify these roles so they can be reassigned.
The control states that if the confidentiality level of the information is high enough, it may be necessary to protect it through legally binding terms. In such cases, confidentiality agreements can be used to define the information covered, the responsibilities of all parties, the duration of the agreement, and the penalties for non‑compliance. These agreements protect information from disclosure after the employee has left the organization for a defined period.
The control states that, since remote work has become common practice in many organizations—providing greater flexibility for both organizations and employees—it has implications for information security that must be considered and documented. The remote working policy must specify where and when remote work is permitted, the provision of devices and equipment, authorized access, and which information may be accessed remotely. Policies governing the use of untrusted networks and the risk that friends, family, or strangers may overhear or see confidential information in uncontrolled environments are particularly important.
This control states that employees sometimes encounter information security incidents during their daily work. Incidents may include human errors, confidentiality breaches, malfunctions, suspected malware infections, and violations of the information security policy or the law. The first step in identifying, resolving, and preventing incidents from recurring is reporting. Therefore, employees need clear and accessible reporting channels and must be aware of their existence.
Early reporting is essential for detecting, managing, and preventing incidents, and it should be encouraged through awareness and an organizational culture that values transparency.
The control states that the first step in protecting a physical space that houses critical information and assets is defining its perimeter. Sensitive or critical areas within the perimeter can then be identified. The perimeter must be physically secure enough to protect its contents, for example, through alarms and intrusion detection systems. If necessary, a staffed reception area can be used to control access.
This control states that physical access to facilities and restricted areas must be limited to authorized individuals only—that is, only authorized persons should be able to access the organization’s assets and the information that must be protected. The level of restriction depends on the organization’s requirements. Personal identification and logging of individuals entering the facilities must be considered. A visitor procedure must be in place to verify their identity, define where they may go, and determine whether they must be escorted. Deliveries also pose a risk, both because delivery areas must be secured and because delivery personnel must be prevented from entering restricted zones.
The control states that offices must be secured with physical or digital locks. In general, directories and detailed maps should not be openly accessible, as they may reveal the location of sensitive assets.
This control states that monitoring can deter intruders and detect intrusions. Guards, cameras, and alarms monitor unauthorized access. The design of any monitoring system must be considered confidential. Regular testing is necessary to ensure the system works properly. Camera surveillance systems and other monitoring systems that collect personal information or can be used to track individuals may require special consideration under data protection laws. For example, camera surveillance may require a data protection impact assessment under GDPR legislation.
The control states that natural or man‑made disasters and physical attacks threaten assets, information security, and business continuity. The level of these risks depends largely on location. Floods, fires, and major storms are the most likely risks, but the risk of earthquakes, civil unrest, and terrorist attacks may also be considered in risk assessments. Protective measures must be based on risk assessments that take into account the location and operational context.
The control states that the existence and purpose of secure environments should only be shared when necessary. They must remain locked, and access must be limited to authorized individuals. Working alone should generally be discouraged for both safety and security reasons.
The control states that anyone can access confidential information left on desks, screens, printers, and boards. A clear desk and clear screen policy defines how and where information may be accessed. A basic policy includes not leaving printed documents unattended—neither at workstations nor at printers (clear desk), locking device screens (clear screen), and erasing boards after meetings. In some cases, more detailed policies may be required for sensitive information, for example, ensuring that information cannot be viewed on a screen in an open environment.
The control states that careful selection of equipment location can minimize a range of risks: not only unauthorized access, but also risks due to environmental factors, food and drink spills, vandalism, and degradation caused by light or humidity. The required protection will depend on the sensitivity of the equipment.
The control states that devices, including personal ones (bring‑your‑own‑device), still require protection when taken off‑site. Basic measures include appropriate physical protection such as cases and theft prevention by not leaving devices unattended. The organization must be aware of which devices are used off‑site, who uses them, and what information is accessed or processed when they are outside the premises. Implementing controls to prevent information leakage on these devices, installing malicious applications, monitoring, and enabling remote wiping when necessary must be done while ensuring employees are aware of and authorize the use of such tools.
References
ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, https://www.iso.org/standard/75652.html
ISO/IEC 27002:2013, Information technology — Security techniques — Code of practice for information security controls, https://www.iso.org/standard/54533.html