ISO 27001 Annex A 6.4 the Disciplinary Process, asks you to have a way to take action against people who break your rules. This means you need a procedure for addressing anyone who goes against your information security policy, any related policies, or your standard work procedures.
Your disciplinary process should be a clear, step-by-step method used to deal with employees who act improperly or have performance problems. It usually involves a series of steps to look into the issue, write down what happened, and then solve the problem.
Table of contents
What is ISO 27001 Annex A 6.4?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Disciplinary Process”.
What is the ISO 27001 Annex A 6.4 control objective?
The formal definition and control objective in the standard is: “A disciplinary process should be formalised and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.“
What is the purpose of ISO 27001 Annex A 6.4?
The purpose of ISO 27001 Annex A 6.4 is “to ensure that people understand what will happen, and the consequences, of a violation of information security policy.“
Is ISO 27001 Annex A 6.4 Mandatory?
ISO 27001 Annex A control 6.4 (Disciplinary Process in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 6.4 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
You will need to take these steps:
- Work with a human resources professional.
- Put a disciplinary process in place for your staff.
- Make sure that violations of information security are included in this disciplinary process.
- Share the details of this disciplinary process with everyone who needs to know.
- Follow the process when needed and keep proof that you acted on it.
When to Take Disciplinary Action
You should only take action after you have confirmed and checked that a person has actually violated an information security policy.
What to Consider for Disciplinary Action
Working with a human resources expert, you will need to choose a reasonable and balanced response that follows all legal rules. You should think about:
- The kind of event that happened.
- The person’s intention, whether they did it on purpose or by accident.
- How often this has happened—is this the first time or a repeat problem?
- Whether the person knew what they were supposed to do, and if you can show proof of this.
- Whether the person received training, and if you can show proof of that.
Rewarding Positive Behaviour
This system is not just about punishment. You can improve your work culture and policy following by giving rewards for good behaviour related to information security. Examples include money rewards, formal recognition in meetings, or creating an ‘Information Security Star of the Month’ award.
Types of Disciplinary Actions
The actions you can take depend on how serious the violation is. Some common steps are:
- Verbal warnings
- Written warnings
- Suspension from work
- Ending employment
Who Manages the Process
Your organisation’s human resources department usually manages the disciplinary process. However, the employee’s manager or supervisor may sometimes be in charge of it.
Steps in the Disciplinary Process
The steps you follow will differ based on your organisation, but these are common:
- Investigating what happened.
- Looking over the employee’s file.
- Meeting with the employee to talk about the incident.
- Giving a written warning or taking another type of disciplinary action.
- Following up to make sure the employee has corrected the behaviour.
Your Employee’s Rights
Employees have the right to:
- Be told what the claims are against them.
- Be present during any disciplinary meeting.
- Answer the claims made against them.
- Be represented by a union representative or another advocate.
- Challenge the decision made about their discipline.
Your Responsibilities as the Employer
As the employer, you must:
- Investigate the incident completely.
- Look over the employee’s file.
- Meet with the employee to talk about the incident.
- Give a written warning or other action that is fair and consistent with your policies.
- Follow up to make sure the employee has fixed the behaviour.
Results of Not Following the Process
If you do not follow the disciplinary process correctly, you may face problems such as:
- More employees leaving the company.
- Lower employee happiness.
- Less productive work.
- Higher chance of legal issues.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will look for:
1. Documented Disciplinary Process
The auditor will speak with your Human Resources team. They will look for a written document that details your disciplinary process. This process must specifically cover violations of your information security policies and rules. You must have this document ready for them to review.
2. Communicating the Disciplinary Process
The auditor wants to be sure you have told the right people about this process. They will check your training and awareness plan, along with your communication plan. They will look for proof that you have shared the details of the disciplinary process with employees and other relevant people in the past.
3. Awareness of Responsibilities
The audit will confirm that your staff knows what they are supposed to do. They will check for written procedures and specific topic policies. They will also look for evidence that you have shared these rules with people and that you have trained them on what is required of them.
