ISO 27001:2022 Annex A Explained (Pt.2): People Controls
    Back to Knowledge Hub

    ISO 27001: 2022 Annex A Explained (Pt.2): People Controls

    Lam Anh

    Lam Anh

    July 24, 2025 • 5 min read

    When startups dive into ISO 27001 compliance, they often focus heavily on tech and processes, overlooking a critical factor: their people. Annex A's "People Controls" ensure your team becomes a security strength—not a liability. Here’s how to leverage them.

    What's the Big Deal About People Controls?

    People are at the core of any organization. Unfortunately, they’re also the weakest security link—responsible for 82% of data breaches, primarily through human error or social engineering. ISO 27001 Annex A addresses this directly by guiding companies on embedding security in human-centric policies and processes.

    Quick Overview: 8 People Controls of ISO 27001

    Annex A of ISO 27001:2022 outlines 8 critical people-focused controls:

    1. Screening (6.1)
    2. Terms and conditions of employment (6.2)
    3. Information security awareness, education, and training (6.3)
    4. Disciplinary process (6.4)
    5. Responsibilities after termination or change of employment (6.5)
    6. Confidentiality or non-disclosure agreements (6.6)
    7. Remote working (6.7)
    8. Information security event reporting (6.8)

    Let's dive deeper.

    Implementing People Controls: A Practical Approach

    1. Screening (6.1)

    Screening employees mitigates risks linked to sensitive roles. Conduct comprehensive background checks, verify professional qualifications, and integrate ethical questions into your interview process.

    2. Terms and Conditions of Employment (6.2)

    Clearly state security responsibilities in employee contracts. Employees should explicitly agree to uphold your organization’s security standards.

    3. Information Security Awareness, Education, and Training (6.3)

    Consistent, practical training helps employees identify and react to threats like phishing and social engineering. Conduct frequent training sessions and regularly update content to address new threats.

    4. Disciplinary Process (6.4)

    Clearly outline the repercussions of violating security policies. A transparent disciplinary process ensures consistent responses to infractions and reinforces security culture.

    5. Responsibilities after Termination or Change of Employment (6.5)

    Define steps to revoke access immediately upon employee exit or role change. Procedures must be clear, immediate, and consistently executed.

    6. Confidentiality or Non-Disclosure Agreements (6.6)

    NDAs legally protect your sensitive information. Ensure all employees and contractors clearly understand confidentiality obligations through comprehensive onboarding processes.

    7. Remote Working (6.7)

    Remote work introduces unique security risks. Implement clear remote working policies, detailing secure access methods, device management, and employee responsibilities.

    8. Information Security Event Reporting (6.8)

    Encourage reporting of suspicious activities or potential breaches without fear of retribution.

    Quick reporting minimizes damage from security incidents.

    Capybara mascot

    Ready to Implement ISO 27001?

    Enter your email to receive a free ISO 27001 checklist and start your compliance journey today.

    Common Pitfalls in People Controls

    • Inconsistent training schedules, resulting in knowledge gaps.
    • Vague remote-work guidelines, increasing vulnerabilities.
    • Neglecting exit procedures, leading to unauthorized access post-employment.

    Avoid these pitfalls by maintaining consistent communication, clear policies, and rigorous follow-ups.

    Tips for Successful Implementation

    • Leadership Engagement: Lead by example. Senior management should actively demonstrate and promote secure behaviors.
    • Frequent Refreshers: Short, regular training sessions outperform lengthy annual workshops in retention and effectiveness.
    • Transparent Culture: Foster openness, where security concerns can be voiced without fear, promoting swift issue resolution.

    Documenting People Controls in Your Statement of Applicability (SoA)

    Your Statement of Applicability (SoA) should clearly document:

    • Controls implemented, including concise implementation details.
    • Controls deemed non-applicable, with clear, logical justifications.

    For example, if your startup operates completely remotely without any physical workspace, controls specifically addressing physical office interactions might be marked as not applicable, clearly explained within your SoA.

    Tangible Benefits of Robust People Controls

    Effectively implemented people controls lead to:

    • Reduced risk of data breaches due to human error.
    • Enhanced trust among customers, partners, and investors.
    • A scalable, security-aware organizational culture.

    Conclusion

    Prioritizing People Controls within ISO 27001 ensures your employees become frontline defenders of your data security, rather than its weakest link. Incorporate these practices early to create an enduring foundation for growth.

    Ready to fortify your team's security awareness and ensure compliance success? Let Smartly guide you through the process.

    });