Skip to main content

Pro audit program · v1.0.0

ISO 27001 A.6 — People Controls

Screening, training, NDAs, remote work — all 8 A.6 people controls in 3 minutes.

  • ISO 27001 A.6 — People Controls target area
  • ISO 27001 framework
  • 8 controls in this program
  • Cyentrix Cyentrix Trusted Author
Sign in to run → Back to library

About this program

Annex A.6 has 8 controls — the people side of ISO 27001. Screening, terms of employment, awareness training, disciplinary process, leaver procedures, NDAs, remote working (NEW), and event reporting. After each answer you can expand an “Auditor’s view” with how the control is tested, what evidence to collect, and the ideal answer.

Controls (8)

  1. A.6.1 — Are background screening checks performed on candidates before employment, proportionate to the role?

    Medium

    A.6.1 — Are background screening checks performed on candidates before employment, proportionate to the role?

    How to test + evidence

    Risk: Risk-based screening (more rigorous for sensitive roles) plus periodic refresh for those in privileged positions catches changes that a one-off pre-hire check misses.

    Testing procedure: Sample 25 hires from the audit period. For each, request the screening record from HR — verify checks proportionate to the role were completed and dated before the start date.

    Evidence to collect: Screening policy with role-based requirements Sample of completed screening reports per hire HR record showing check completion before start date

  2. A.6.2 / A.6.6 — Do employment contracts include IS responsibilities and confidentiality / NDA clauses?

    Medium

    A.6.2 / A.6.6 — Do employment contracts include IS responsibilities and confidentiality / NDA clauses?

    How to test + evidence

    Risk: Without contractual IS responsibilities you have no enforceable basis for the disciplinary process (A.6.4) or post-termination obligations (A.6.5).

    Testing procedure: Request the standard employment contract template + a sample of executed contracts (10–15) covering employees, contractors and interns. Verify NDA + IS responsibilities clauses in each.

    Evidence to collect: Standard contract template with IS clauses highlighted Sample of signed contracts across staff types Separate NDAs for contractors / vendors if used

  3. A.6.3 — Do all staff receive IS awareness, education and training relevant to their role?

    Medium

    A.6.3 — Do all staff receive IS awareness, education and training relevant to their role?

    How to test + evidence

    Risk: Continuous training + role-based content moves the dial on behaviour. Annual generic training measurably loses effect within months.

    Testing procedure: Request the training matrix and completion report for the audit period. Verify high-risk roles (finance, IT admins, executives) received role-specific training. Sample 10 employees and confirm completion records.

    Evidence to collect: Training plan with cadence + role coverage LMS completion report (% complete by role) Sample of training certificates per employee Phishing simulation report if used

  4. A.6.4 — Is there a formal disciplinary process for staff who violate IS policy?

    Medium

    A.6.4 — Is there a formal disciplinary process for staff who violate IS policy?

    How to test + evidence

    Risk: A documented but unused process is fine; auditors don't want to see violations either. The point is that staff know consequences exist and that they're consistent.

    Testing procedure: Inspect the disciplinary process document. Verify it explicitly references IS policy violations and includes proportionate consequences. Request anonymised examples of where it has been applied (if any).

    Evidence to collect: Disciplinary policy mentioning IS violations Communication record showing policy distributed to staff Anonymised case log (if any disciplinary action taken) HR + legal sign-off on the process

  5. A.6.5 — Are responsibilities and duties on termination/change of employment documented and applied?

    Medium

    A.6.5 — Are responsibilities and duties on termination/change of employment documented and applied?

    How to test + evidence

    Risk: Same-day, checklist-driven offboarding with NDA reminder closes the most common audit finding in this area: leaver still had access weeks after departure.

    Testing procedure: Sample 25 leavers from HR. For each, trace through the exit checklist: equipment returned, access revoked across all systems, NDA reminder, exit interview record. Match dates against termination date.

    Evidence to collect: Exit checklist template Sample of completed checklists per leaver Access logs showing same-day disablement Equipment return receipts

  6. A.6.7 — Is remote working covered by a documented policy, technical controls and training? (NEW in 2022)

    Medium

    A.6.7 — Is remote working covered by a documented policy, technical controls and training? (NEW in 2022)

    How to test + evidence

    Risk: A.6.7 is new in 2022 and explicitly tested in modern audits. A policy alone isn't enough; auditors look for technical enforcement (MDM, conditional access, VPN posture).

    Testing procedure: Inspect the remote-working policy. Verify it covers physical environment (privacy, lock screens), network (no public Wi-Fi without VPN), device (encryption, MDM), and data (no exfil to personal cloud). Sample 5 remote workers and check their laptop config.

    Evidence to collect: Remote working policy (current version) MDM enrolment report covering remote devices VPN/ZTNA usage reports Training module content addressing remote-work risks

  7. A.6.8 — Do employees know how to report IS events, and is reporting actively encouraged?

    Medium

    A.6.8 — Do employees know how to report IS events, and is reporting actively encouraged?

    How to test + evidence

    Risk: A one-click report button + non-punitive culture surfaces phishing in minutes instead of hours. Most audit findings here are about absent or hostile reporting culture.

    Testing procedure: Inspect the reporting channel + supporting training material. Pull a report rate over the audit period; ideally tied to phishing simulations. Confirm leadership communications reinforce a non-punitive culture.

    Evidence to collect: Reporting channel screenshot (button / inbox) Triage SLA + sample triaged reports Phishing simulation report rate trend Leadership communication reinforcing reporting

  8. Beyond compliance: do staff understand cyber risk well enough to make sensible day-to-day decisions?

    Medium

    Beyond compliance: do staff understand cyber risk well enough to make sensible day-to-day decisions?

    How to test + evidence

    Risk: A strong culture is the cheapest, highest-leverage control. Staff who push back on risky requests prevent incidents that no technical control can.

    Testing procedure: Run a culture pulse survey or conduct interviews across departments. Ask scenario-based questions ("Finance receives an urgent CEO email asking for a wire transfer — what do they do?"). Cross-reference with phishing simulation results.

    Evidence to collect: Culture pulse survey results Interview notes from cross-departmental sample Phishing simulation results per role Examples of staff escalations (positive signal)