ISO 27001 Annex People Control
Reading Time: 4 minutesISO 27001 Annex A 6.1 – Screening Requirements Background verification checks on all candidates to become personnel should be carried out prior to joining the organization and…
Requirements: Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.
Explanation: This control ensures everyone in the organization knows the rules for keeping information safe. The main policy sets the overall direction, while topic-specific ones cover details like access or backups. They need regular updates to match business changes, laws, or new risks, so protection stays effective.
Example: A small retail shop creates a simple policy saying all customer data must be stored securely and only shared with authorized staff. They email it to employees, who sign off, and review it yearly or after a data law change.
Answer: Policies should be reviewed at planned intervals and whenever significant changes occur, such as business strategy shifts or new threats.
Answer: Top management should approve the main policy, while topic-specific policies can be approved by appropriate personnel with authority.
Answer: It should include a definition of information security, objectives, principles for activities, commitment to requirements, and procedures for handling exceptions.
Requirements: Information security roles and responsibilities should be defined and allocated according to the organization needs.
Explanation: This means assigning clear jobs for security tasks, like who protects data or handles risks. It helps everyone know their part in keeping things safe, and roles can be delegated but the main person stays accountable.
Example: In a clinic, the manager is responsible for overall data security, but delegates daily backups to the IT admin. If something goes wrong, the manager still answers for it.
Answer: Information security responsibilities should be assigned to a dedicated information security officer or team, incorporating roles such as IT personnel, compliance officers, and department heads. All employees should also receive training and be made aware of their responsibilities regarding data security.
Answer: Roles should be defined, documented, and communicated, including for asset protection and risk acceptance.
Answer: They should receive support to build competence and stay updated on developments related to their role.
Requirements: Conflicting duties and conflicting areas of responsibility should be segregated.
Explanation: Split tasks so no single person can do everything that might lead to mistakes or fraud, like approving and executing the same change. In small places, use checks like monitoring if full separation isn’t possible.
Example: In a bookstore, one employee orders books, but another checks and pays for them, preventing one person from faking orders.
Answer: It prevents fraud, errors, or bypassing security by separating conflicting tasks.
Answer: Use compensating controls like monitoring activities or management supervision.
Answer: Avoid granting conflicting roles to the same person in systems like role-based access control.
Requirements: Management should require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization.
Explanation: Leaders must support security rules and ensure staff follow them, including briefing roles, providing training, and resources. This builds a culture where everyone handles info safely.
Example: A cafe owner trains staff on not sharing customer emails and provides secure tools, checking compliance during reviews.
Answer: Demonstrate support by briefing roles, providing guidelines, and ensuring awareness.
Answer: Require acknowledgment of policies and provide channels for reporting violations.
Answer: Adequate resources and time for implementing security processes and controls.
Requirements: The organization should establish and maintain contact with relevant authorities.
Explanation: Know who to call, like police or regulators, for security issues. This helps quick reporting of incidents and staying updated on rules.
Example: A gym keeps contacts for local police in case of a data theft, and checks health data laws regularly.
Authorities should be contacted when there is a situation involving criminal activity, imminent danger to life or property, threats of violence, missing persons, or any other emergency that requires immediate intervention.
Answer: Law enforcement, regulatory bodies, and supervisory authorities.
Answer: To support incident management, contingency planning, and anticipate regulatory changes.
Requirements: The organization should establish and maintain contact with special interest groups or other specialist security forums and professional associations.
Explanation: Join groups for security tips, early warnings on threats, and sharing knowledge. This keeps you informed on best practices.
Example: A bakery joins a small business security forum to learn about new scams targeting online orders.
Answer: Improved knowledge of best practices, early warnings, and specialist advice.
Answer: Special interest groups, security forums, and professional associations.
Answer: They provide liaison points for dealing with security incidents.
Requirements: Information relating to information security threats should be collected and analysed to produce threat intelligence.
Explanation: Gather and study threat info to spot risks early. Use layers like high-level trends or specific attack details, making it relevant and actionable to prevent or reduce harm.
Example: A tutoring service subscribes to threat alerts and adjusts email filters after learning about common phishing attacks on educators.
Answer: Strategic (high-level landscape), tactical (methodologies and tools), and operational (specific attack details).
Answer: To inform risk management, update controls, and support testing processes.
Answer: Internal and external sources, analyzed for relevance and actionability.
Requirements: Information security should be integrated into project management.
Explanation: Include security from the start in any project, assessing risks and testing. This covers all projects, not just tech, to avoid vulnerabilities.
Example: When launching a new website, a florist checks for data protection early, like secure payment forms.
Answer: Yes, regardless of type, size, or complexity, including non-ICT projects.
Answer: Risk assessment, requirements like IP compliance, and testing for effectiveness.
Answer: Project management, with steering committees following up at stages.
Requirements: An inventory of information and other associated assets, including owners, should be developed and maintained.
Explanation: List all data and related items like devices, assign owners, and keep it updated. This helps protect assets by knowing what you have and who’s responsible.
Example: A hair salon lists client records, computers, and software, with the owner accountable for updates.
Answer: Information, hardware, software, facilities, personnel, and records.
Answer: Conduct regular reviews and automate updates during changes.
Answer: Classify, protect, and manage risks for their assets.
Requirements: Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented.
Explanation: Set clear rules on how to use data and tools safely, like no sharing secrets. Communicate them to prevent misuse.
Example: A coffee shop’s policy says staff can’t email customer lists home, and they sign to agree.
Answer: All personnel and external users accessing assets.
Answer: Access restrictions, copying, storage, and disposal.
Answer: Identify and control use, like through agreements.
Requirements: Personnel and other interested parties as appropriate should return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement.
Explanation: When someone leaves, get back all company items like phones or data. This protects info from leaving with them.
Example: A departing mechanic returns the shop’s tablet with client info, and access is revoked.
Answer: Transfer relevant information and securely delete from the device.
Answer: Document and transfer important knowledge to the organization.
Answer: Devices, storage media, authentication items, and physical copies.
Requirements: Information should be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.
Explanation: Label data by importance, like “confidential” for sensitive info. Owners decide levels, reviewed over time, to apply right protection.
Example: A vet classifies pet owner details as confidential to limit access.
Answer: Confidentiality, integrity, availability, and legal requirements.
Answer: Owners of information assets.
Answer: Periodically and with changes in value or sensitivity.
Requirements: An appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organization.
Explanation: Add labels like headers or metadata to show classification. This helps handle data correctly, even digitally.
Example: Emails with client info get a “confidential” footer to remind recipients.
Answer: Labelling can be omitted when the context is clear, such as when the content is presented in a well-defined format, or when the audience is familiar with the subject matter.
Answer: For non-confidential information to reduce workload.
Answer: Metadata enables systems to make decisions based on labels.
Requirements: Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties.
Explanation: Set rules for sending info safely, like encryption for emails or secure couriers. Cover electronic, physical, and verbal transfers to avoid leaks.
Example: A law firm uses encrypted files for client docs sent to partners.
Answer: Electronic, physical media, and verbal communications.
Answer: Use malware detection and stronger authentication on public networks.
Answer: Use reliable couriers and tamper-evident packaging.
Requirements: Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements.
Explanation: Define who gets access to what, based on needs like “need-to-know.” Use policies to prevent unauthorized entry.
Example: A library limits staff access to patron records, using logins.
Answer: Need-to-know and need-to-use.
Answer: Define consistently with classification and segregation of duties.
Answer: Mandatory, discretionary, role-based, or attribute-based.
Requirements: The full life cycle of identities should be managed.
Explanation: Handle user IDs from creation to deletion, ensuring uniqueness and timely removal. This ties to access rights.
Example: A school creates unique logins for teachers, deletes them upon leaving.
Answer: To hold individuals accountable; use only if necessary with approval.
Answer: Ensure they meet trust levels and manage risks.
Answer: Significant events in identity use and management.
Requirements: Allocation and management of authentication information should be controlled by a management process, including advising personnel on the appropriate handling of authentication information.
Explanation: Manage passwords or keys securely, like forcing changes and using strong ones. Advise users not to share.
Example: A bank requires new hires to change temp passwords and use complex ones.
Answer: Make them unique, non-guessable, and require change on first use.
Answer: Minimum length, alphanumerics, no dictionary words.
Answer: To enforce strong passwords and prevent reuse.
Requirements: Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.
Explanation: Give, check, and remove access based on roles. Review regularly, especially on changes like job ends.
Example: When an employee quits a store, their POS access is immediately revoked.
Answer: Get owner approval and align with policies.
Answer: Regularly, on role changes, or terminations.
Answer: Review and revoke rights based on risk factors like reason for leaving.
Requirements: Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.
Explanation: Assess and control risks from suppliers, like evaluating their security and monitoring compliance.
Example: A clinic checks a software vendor’s data protection before buying.
Answer: ICT, logistics, utilities, and any affecting security.
Answer: Use market analysis, references, or certifications.
Answer: Mitigate issues or handle incidents jointly.
Requirements: Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship.
Explanation: Include security terms in contracts, like data handling and audits, to ensure protection.
Example: A catering company adds confidentiality clauses to supplier contracts for recipes.
Answer: Information access, classification, and incident management.
Answer: Require same obligations for sub-suppliers.
Answer: Clauses for return of assets and ongoing confidentiality.
Requirements: Processes and procedures should be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.
Explanation: Extend security to tech suppliers, like checking components for vulnerabilities.
Example: A tech firm verifies software from vendors for malware.
Answer: Require suppliers to apply practices to their sub-suppliers.
Answer: Components, vulnerabilities, and proper functioning.
Answer: Manage risks of obsolescence with alternative suppliers.
Requirements: The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.
Explanation: Track supplier performance, review reports, and handle changes to keep security consistent.
Example: A hotel reviews its cleaning service’s data handling quarterly.
Answer: Enhancements, new technologies, or sub-supplier shifts.
FAQ 2: How to verify compliance? Answer: Use audits, service reports, and independent reviews.
Answer: Take appropriate actions to address them.
Requirements: Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organization’s information security requirements.
Explanation: Plan cloud use with security in mind, like agreements on data location and exit strategies.
Example: A startup ensures its cloud provider encrypts data and allows easy export.
Answer: Requirements, roles, and controls managed by each party.
Answer: Review agreements and monitor capabilities.
Answer: Plan handover and data return in agreements.
Requirements: The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.
Explanation: Set up a plan with roles for handling incidents, including reporting and response steps.
Example: A pharmacy has a plan: staff report suspicious emails to IT, who investigates.
Answer: Competent personnel for detection, analysis, and response.
Answer: Reporting, assessment, response, and logging.
Answer: Agree with management on priorities like resolution time.
Requirements: The organization should assess information security events and decide if they are to be categorized as information security incidents.
Explanation: Evaluate events by criteria to classify as incidents, logging details for review.
Example: A shop assesses a weird login as an incident if it’s unauthorized.
Answer: Agreed criteria for consequences and priority.
Answer: The point of contact or designated team.
Answer: For future reference and verification.
Requirements: Information security incidents should be responded to in accordance with the documented procedures.
Explanation: Follow steps like containing, collecting evidence, and communicating during incidents.
Example: During a virus, an office isolates infected computers and notifies staff.
Answer: Containment, evidence collection, and escalation.
Answer: A competent designated team.
Answer: Close, analyze root cause, and log activities.
Requirements: Knowledge gained from information security incidents should be used to strengthen and improve the information security controls.
Explanation: Analyze incidents to spot patterns and update plans or training to prevent repeats.
Example: After a phishing scam, a team adds email training to avoid future ones.
Answer: Types, volumes, and costs.
Answer: Update risk assessments and controls.
Answer: Provide examples in training to avoid similar issues.
Requirements: The organization should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.
Explanation: Gather evidence properly for legal or internal use, ensuring it’s untouched.
Example: In a data breach, a firm logs all actions without altering files.
Answer: To ensure admissibility in legal or disciplinary actions.
Answer: Different media types and device statuses.
Answer: Ensure entitlement to collect across jurisdictions.
Requirements: The organization should plan how to maintain information security at an appropriate level during disruption.
Explanation: Prepare for crises like outages, with plans to keep data safe and recover.
Example: A bank has backup generators and remote access for storms.
Answer: Security in continuity plans and crisis management.
Answer: Through exercises and simulations.
Answer: Defined responsibilities for security maintenance.
Requirements: ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and continuity requirements.
Explanation: Ensure tech systems can continue or recover quickly to support business.
Example: A delivery service tests cloud backups weekly for order data.
Answer: With business continuity objectives and risk assessments.
Answer: Recovery procedures and failover capabilities.
Answer: In general, we need to review annually and after changes.
Requirements: Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements should be identified, documented and kept up to date.
Explanation: List and follow all laws and contracts on security, updating as needed.
Example: A health clinic tracks HIPAA rules for patient data.
Answer: Legal, regulatory, and contractual related to security.
Answer: List explicitly with the organization’s approach.
Answer: Defined roles for identification and compliance.
Requirements: The organization should implement appropriate procedures to protect intellectual property rights.
Explanation: Use licensed software and protect creations with copyrights or trademarks.
Example: A designer registers logos and checks for unlicensed images.
Answer: Maintain records of licenses and ownership.
Answer: Acquisition, usage, and monitoring for infringement.
Answer: Agreements on ownership of work-creat
Requirements: Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release.
Explanation: Store important docs safely, following laws on retention.
Example: An accountant backs up financial records in locked cabinets.
Answer: Categorize, label, and handle per classification.
Answer: Based on legal and business requirements.
Answer: Securely when no longer needed.
Requirements: The organization should identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.
Explanation: Follow privacy laws like GDPR, assessing risks to personal data.
Example: An online store gets consent for using customer emails.
Answer: From laws, contracts, and risk assessments.
Answer: Define controllers and processors.
Answer: Through privacy impact assessments.
Requirements: The organization’s approach to managing information security and its implementation should be reviewed independently at planned intervals, or when significant changes occur.
Explanation: Get outside audits to check security effectiveness.
Example: A firm hires experts yearly to review their firewalls.
Answer: At planned intervals (12 months) or after changes.
Answer: Independent trained personnel.
Answer: Policies, controls, and compliance of ISO 27001
Requirements: Compliance with the organization’s information security policy, topic-specific policies, rules and standards should be regularly reviewed.
Explanation: Check if everyone follows rules, using audits or tools.
Example: A company scans for policy violations monthly.
Answer: Competent personnel or automated tools.
Answer: Address through corrective actions.
Answer: Keep records of findings and actions.
Requirements: Operating procedures for information processing facilities should be documented and made available to personnel who need them.
Explanation: Write clear steps for tasks, updating as needed, to ensure consistency.
Example: A warehouse has guides for secure inventory software use.
Answer: To ensure consistency and independence from individuals.
Answer: Personnel needing them, kept current.
Answer: Review and update with changes.
