Your-ultimate-guide-to-ISO-27001-Certification-Background

Navigating ISO 27001

People Controls in ISO 27001

The Essential Measures for Information Security

Get your free guide

 

Get your free guide

Protecting sensitive information and data is more important than ever in today’s digital world. Technological and physical threats are always evolving - but people remain the biggest risk factor for all organisations. This is why ISO 27001, the international standard for information security management, includes a series of measures in Annex A that focuses on dealing with employees. 

In order to protect an organisation’s information, it is crucial to implement a comprehensive information security management system (ISMS). An ISMS consists of a series of measures that help to ensure the security of information. 

People controls are an important part of an ISMS. They focus on the human factor in information security. People controls are designed to ensure that employees have the right knowledge and skills to handle information securely. 

Control Categories from Annex A: Organizational, People, Physical, and Technological

ISO 27001 defines 93 controls in Annex A that contribute to improving an organisation's information security. These controls are divided into four categories:

  • Organisational controls

  • People controls

  • Physical controls

  • Technological controls

The four categories facilitate the planning and implementation of measures and the selection of the right controls for the context of the organisation.

In 2022, the ISO 27001 control categories were restructured to reflect current security requirements. The new version of the standard ISO 27001:2022 maintains the core processes of ISMS management, but updates the controls in Annex A to address more modern risks and the threats.

Learn more about the transition to the new ISO 27001 controls in our transition guide.

 

What are people-related controls?

People controls are measures that organisations can implement to influence employee behaviour and protect staff in relation to information security.

The people-related controls of the ISO 27001 framework ensure that employees and other persons who have access to information systems and data have an appropriate understanding of information security and comply with it.

This means that it defines responsibilities, appropriate training and access to knowledge as well as obligations of the organisation and employees with regard to the handling of sensitive information. This also includes topics such as remote working, non-disclosure agreements, onboarding and offboarding processes and responsibilities for reporting incidents.

Among other things, they include:

  • Training and awareness campaigns to sensitise employees to information security risks

  • Policies and procedures governing the secure handling of information

  • Processes for the selection, recruitment and monitoring of employees

  • Measures to promote a culture of information security within the organisation

Get ready for the ISO 27001 audit with up to 75% less workload

100% first-try pass rate in external audits on ISO 27001 

Book a demo
DG Seal ISO 27001

Why are people controls important?

People are often the weak link in information security. They can inadvertently disclose information or be targeted by phishing or social engineering attacks. Personnel-related controls help to minimise these risks by enabling employees to handle information securely.

 

ISO 27001 people controls: What are they?

Personnel-related controls are an essential part of a comprehensive information security strategy. The advantage of this area is that it comprises just eight measures that you can implement. We have compiled a list with a comprehensive overview of all personnel-related controls from Annex A of ISO 27001:

People Controls

Annex A 6.1

Screening

People Controls

Annex A 6.2

Terms and Conditions of Employment

People Controls

Annex A 6.3

Information Security Awareness, Education and Training

People Controls

Annex A 6.4

Disciplinary Process

People Controls

Annex A 6.5

Responsibilities After Termination or Change of Employment

People Controls

Annex A 6.6

Confidentiality or Non-Disclosure Agreements

People Controls

Annex A 6.7

Remote Working

People Controls

Annex A 6.8

Information Security Event Reporting

How are people controls implemented?

The implementation of people controls is a process that can be divided into several steps:

  1. Planning: in this step, a plan for implementing the people controls is created.

  2. Implementation: In this step, the people controls are realised.

  3. Monitoring and improvement: In this step, the effectiveness of the people controls is monitored and improved if necessary.

Planning

The first step in the implementation of people controls is planning. In this step, a plan is created that includes the following aspects:

  • Objectives: What are the objectives to be achieved by implementing the people controls?

  • Scope: Which people controls shall be implemented?

  • Responsibilities: Who is responsible for the implementation and operation of the people controls?

  • Resources: What resources are required for the implementation of the people controls?

The planning should be closely coordinated with the other areas of the information security management system. In this way, the people-related controls can be seamlessly integrated into the ISMS and achieve the desired objectives.

Implementation

In this step, the people controls are implemented. This includes, among other things:

  • Creation of policies and procedures: Policies and procedures define the requirements for the people controls.

  • Training and sensitisation: Employees are trained and sensitised with regard to information security.

  • Implementation of technical measures: Technical measures can support the effectiveness of the people controls.

The implementation of people-related controls should take place within a reasonable period of time. It is important to consider the impact of the new measures on employees and the organisation.

Monitoring and improvement

As all other controls, also the effectiveness of the people controls should be monitored regularly. The following measures, among others, can be taken for this purpose:

  • Audits: Audits can check compliance with personnel-related controls.

  • Feedback from employees: Employees can provide feedback on the personnel-related controls.

  • Analysing security incidents: Analysing security incidents can provide information on potential weaknesses in personnel-related controls.

Monitoring and improving people controls will result in their optimisation. In this way, the organisation's information security can continuously be improved.

Additional tips for the implementation of people controls

  • Involve employees: Employees should be involved in the planning and implementation of people controls from the outset. This enables them to identify with the new measures and accept them better.

  • Communicate the people controls clearly and comprehensibly: Employees should understand why the people-related controls are important and how they can implement them.

  • Provide training and awareness-raising: Training and awareness will help ensure that employees understand and comply with information security.

  • Provide resources: Provide employees with the resources they need to implement and maintain personnel-related controls.

By implementing personnel-related controls, an organisation's information security can be improved. The personnel-related controls help to ensure that employees and others who have access to information systems and data have an appropriate understanding of information security and comply with it.

 

People controls to strengthen your information security

People controls are an important component of an ISMS. They help to influence the behaviour of employees with regard to information security and thus ensure the security of information.

Personnel-related measures provide companies with guidelines that influence the selection of employees, teach them in the handling of sensitive information and promote the secure handling of corresponding rules.

The current challenges of information security are taken into account in ISO 27001:2022 and opportunities are offered to establish an appropriate approach to modern conditions such as remote work and digital processes.

Find the right controls for your company and use our ISO 27001 checklist to find out which measures you need to implement to realise ISO 27001.

Save Money with ISO 27001

up to 50%

Cheaper than external consultants

Opt-in

up to 300%

Increase your opt-in rate with Consent & Preference Management

Scale Fast with ISO 27001

3 months

Get audit-ready in as little as three months

ISO 27001 Certificate

100%

First-try pass rate in external audits on ISO 27001 and TISAX®

ISO 27001 certification to reduce Workload

Saves up to 100 hours

of manual work to get ISO 27001 certified or TISAX® labels

ISO 27001 Certification creates trust

Customers trust us

Book a demo

P I C

p

PRIVACY

External DPO
Audit and risk analysis
Data Subject Requests
Online training courses
Cookie & Preference manager
Business advice from experts

i

INFOSEC

Prepare for ISO 27001
Build an ISMS
Cyber security
Asset management
Risk mitigation
Internal audit

c

COMPLIANCE

Digital whistleblowing system
Whistleblowing support
Compliance audit
Risk mitigation
Online training courses
Templates

ISO 27001:2022 requirements

4.1 Understanding the organisation and its context

4.2 Understanding the needs and expectations of interested parties

4.3 Determining the scope of the ISMS

4.4 Information security management system (ISMS)

5.1 Leadership and commitment

5.2 Information security policy

5.3 Organisational roles, responsibilities and authorities

6.1 Actions to address risks and opportunities

6.2 Information security objectives and planning to achieve them

7.1 Resources

7.2 Competence

7.3 Awareness

7.4 Communication

7.5 Documented information

8.1 Operational planning and control

8.2 Information security risk assessment

8.3 Information security risk treatment

9.1 Monitoring, measurement, analysis and evaluation

9.2 Internal audit

9.3 Management review

10.1 Nonconformity and corrective action

10.2 Continual improvement

 

ISO 27001 Annex A

 

Trusted and used by companies

Canon-4 The Cheeky Panda Burger King Unicef UK-1 Free Now

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

All data provided is for information only, based on internal estimates. This information is not indicative of KPIs, and is not given with any warranties or guarantees, expressly stated or implied in relation to accuracy and reliability.

 

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Transparent consent collection
  • Comply with GDPR, CCPA, LGPD, ePrivacy, and more
  • Consolidate consents across multiple touchpoints
  • Support from privacy experts
  • Integrates with your marketing tools and CRM

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Let's talk