graphgrc

ISO 27002 - A.6 - People controls

A.6.1

Screening

Background verification checks on all candidates to become personnelshall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

Mapped SCF controls

A.6.2

Terms and conditions of employment

The employment contractual agreements shall state the personnel’s and the organization’s responsibilities for information security.

Mapped SCF controls

A.6.3

Information security awareness, education and training

Personnel of the organization and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organization’s information security policy, topic-specific policies and procedures, as relevant for their job function.

Mapped SCF controls

A.6.4

Disciplinary process

A disciplinary process shall be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.

Mapped SCF controls

A.6.5

Responsibilities after termination or change of employment

Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties.

Mapped SCF controls

A.6.6

Confidentiality or non-disclosure agreements

Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified,documented, regularly reviewed and signed by personnel and other relevant interested parties.

Mapped SCF controls

A.6.7

Remote working

Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.

Mapped SCF controls

A.6.8

Information security event reporting

The organization shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.

Mapped SCF controls