A.6.4 / PS-8 ISO/IEC 27001:2022 Annex A ISO 27001

A.6.4 — Is there a formal disciplinary process for staff who violate IS policy?

Demonstrate that the organization maintains a documented, consistently applied disciplinary process that addresses information security policy violations with defined consequences and procedural safeguards.

Description

What this control does

This control requires the organization to establish and document a formal disciplinary process specifically addressing violations of information security policies. The process must define progressive consequences for policy breaches, from verbal warnings to termination, and ensure consistent application across all personnel regardless of role or seniority. It provides a structured, legally defensible mechanism for addressing security incidents caused by deliberate or negligent employee actions, reinforcing accountability and deterring future violations.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Employees deliberately circumvent security controls without fear of consequences, increasing insider threat exposure
Inconsistent or arbitrary enforcement of security policies leads to discrimination claims and legal liability
Management lacks authority or process to remove employees who repeatedly violate critical security controls
Security incidents caused by negligence are not addressed, creating a culture of non-compliance
Severe policy violations such as data exfiltration or credential sharing go unpunished due to absence of formal procedures
The organization cannot demonstrate due diligence in protecting sensitive information during regulatory investigations or breach litigation
Lack of documented disciplinary actions prevents pattern analysis of repeat offenders or systemic control weaknesses

Testing procedure

How an auditor verifies this control

Request and review the organization's human resources policy manual, employee handbook, and code of conduct for documented disciplinary procedures specific to information security policy violations
Verify the disciplinary policy explicitly references information security policies and defines categories of violations with corresponding consequence levels
Interview the HR director and CISO to confirm roles and responsibilities for initiating, investigating, and executing disciplinary actions for security violations
Obtain a complete list of documented security policy violations from the past 12 months through incident management systems, HR records, and security logs
Select a sample of 5-10 security incidents involving policy violations and trace each through the disciplinary process from detection to resolution
Review evidence that employees receive acknowledgment of the disciplinary policy during onboarding and annual security awareness training
Verify that the disciplinary process includes due process protections such as investigation procedures, right to respond, and appeals mechanisms
Confirm that disciplinary actions for similar violations are consistent across different business units and employee levels by comparing consequence severity across sampled cases

Evidence required HR policy documentation and employee handbook sections defining the disciplinary process for information security violations. Incident records, investigation reports, and HR case files showing application of the disciplinary process to actual security policy violations, including dates, violation descriptions, investigation findings, and imposed consequences. Signed employee acknowledgment forms confirming awareness of security policies and associated disciplinary procedures.

Pass criteria A formal disciplinary process specifically addressing information security policy violations is documented, communicated to all staff, and consistently applied as evidenced by case records showing investigation and appropriate consequences for sampled violations within the audit period.