ISO 27001:2022 Annex A Control 6.4

Disciplinary Process

Book a demo

bottom,view,of,modern,skyscrapers,in,business,district,against,blue

What Is ISO 27001:2022 Annex A 6.4?

ISO 27001:2022 Annex A 6.4 requires organisations to establish a disciplinary process to act as a deterrent against information security violations.

Formal communication of this process should be implemented and a penalty suitable for employees and other stakeholders who violate the information security policy should be established.

Information Security Violation Explained

Information security policy violations constitute a breach of the regulations governing the proper handling of information. Organisations establish these policies to protect confidential, proprietary and personal data, such as customer records and credit card numbers. Additionally, computer security policies are also included in these to ensure data stored on computers remains secure and intact.

If you utilise company email to send personal communications without permission from your supervisor, this could constitute a breach of the company policy. Additionally, should you make an error while utilising the firm’s equipment or software, resulting in damage to either the equipment or the data stored on it, this is also an infraction of the information security policy.

If an employee contravenes an organisation’s info security policy, disciplinary action or dismissal may result. In certain situations, a business may opt not to dismiss a worker who breaches its computer usage policy, but to take other suitable steps to stop any further infringements of company policy.

The Purpose of ISO 27001:2022 Annex A 6.4?

The purpose of the disciplinary process is to make sure personnel and any other interested parties recognise the outcomes of a breach of the information security policy.

Annex A 6.4 is designed to both deter and assist in handling any violations of information security policies, ensuring that employees and other related stakeholders are aware of the ramifications.

An effective information security programme must include the capacity to administer suitable disciplinary measures for workers who violate information security regulations. Doing so ensures that personnel understand the implications of disregarding pre-defined regulations, thus diminishing the likelihood of deliberate or inadvertent data leakage.

Examples of activities that could be included while enforcing this control are:

  • Carry out regular training sessions to keep staff up to date on policy changes.
  • Design disciplinary measures for failure to adhere to information security policies.
  • Supply each employee with a copy of the organisation’s disciplinary procedures.
  • In similar situations, ensure that disciplinary procedures are followed consistently.

The disciplinary measures outlined in the framework should be swiftly implemented following an incident, to discourage any further breaches of organisational policies.

What Is Involved and How to Meet the Requirements

To meet the requirements of Annex A 6.4, disciplinary action must be taken when there is evidence of not adhering to the organisation’s policies, procedures, or regulations. This also includes any applicable legislation and regulations.

Per Annex A 6.4, the formal disciplinary process should account for the following elements when taking a graduated approach:

  • The extent of the breach, its nature, seriousness, and consequences must all be taken into account.
  • Whether the offence was deliberate or accidental.
  • Regardless of whether this is the initial or repeat offence.
  • Whether the transgressor has been given sufficient training is to be considered.

Consider all relevant legal, legislative, regulatory, contractual and corporate obligations, as well as any other relevant factors, when taking action.

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 6.4 replaces ISO 27001:2013 Annex A 7.2.3 in the revised 2022 version of ISO 27001.

ISO 27001:2022 employs user-friendly language to ensure the standard’s users can comprehend its content. There are minor variations in wording, however the overall context and content remain the same.

The only distinction you’ll observe is the Annex A Control Number having been changed from 7.2.3 to 6.4. Moreover, the 2022 standard has the added benefit of a attributes table and statement of purpose which are absent in the 2013 version.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

Who Is in Charge of This Process?

In the majority of cases, the disciplinary process is overseen by the department manager or HR representative. It is not uncommon for the HR representative to give the responsibility of disciplinary action to someone else in the organisation, like an information security expert.

The primary goal of disciplinary action is to safeguard the organisation from any additional infringements from the staff member. It further aims to deter any further occurrences of similar incidents by making sure that all employees are aware of the significance of information security breaches.

It is essential for any organisation to ensure that disciplinary action is taken when a staff member has breached any of its policies or procedures. To ensure this, clear guidance must be established on how to handle such situations, including instructions on how to carry out investigations and the actions to take afterwards.

What Do These Changes Mean for You?

If you’re pondering how these alterations affect you, here’s a concise summary of the most critical points:

  • No need to re-certify; it’s only a minor alteration.
  • Retain your current certification until it expires, provided it remains valid.
  • No major alterations have been made to ISO 27001:2022 Annex A 6.4.
  • The aim is to bring the standard in line with the most up-to-date best practices and standards.

If you’re aiming to gain ISMS certification, you should assess your security measures to ensure they comply with the revised standard.

To gain insight into the impact the new ISO 27001:2022 could have on your data security procedures and ISO 27001 accreditation, please refer to our complimentary ISO 27001:2022 guide.

How ISMS.Online Help

ISMS.online is the leading ISO 27001 management system software, aiding in compliance with the ISO 27001 standard. It assists companies to ensure their security policies and procedures are in line with the requirement.

This cloud-based platform offers a full range of tools to help organisations to establish an Information Security Management System (ISMS) based on ISO 27001.

These tools comprise of:

  • A library of templates for frequently encountered corporate documents is available.
  • A collection of pre-established guidelines and protocols is in place.
  • An audit tool to facilitate internal audits is available.
  • An interface to personalise Information Security Management System (ISMS) policies and procedures is provided.
  • All changes to policies and procedures must be approved through a workflow process.
  • Create a list to ensure that your policies and information protection measures are in line with international standards.

ISMS.Online provides users with the ability to:

  • Handle all areas of the ISMS life-cycle with ease.
  • Gain immediate understanding of their security status and compliance problems.
  • Integrate with other systems such as HR, finance and project management.
  • Ensure conformance of the ISMS to ISO 27001 criteria.

ISMS.Online offers advice on how to execute your ISMS optimally, with guidance on forming policies and protocols associated with risk management, staff security awareness training and incident response preparation.

Reach out to us now to schedule a demonstration.

Our recent success achieving ISO 27001, 27017 & 27018 certification was in large part down to ISMS.online.

Karen burton
Security Analyst, Thrive Health

Book your demo

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.