Control 6.2, terms and conditions of employment in the new ISO 27002:2022 talks about the need for contractual agreement to inform any new employee about their responsibility as well as that of the organisation towards information security.
What this means is that employees should know about the company’s information security policy, as well as the roles and responsibilities of people who work with information security in the company. This can be done by having personnel sign an employment contract or something similar.
Such a contractual agreement will typically outline the general requirements for protecting information assets, including physical security, environmental controls, access controls and contingency planning as well as a confidentiality agreement if they’ll be working with PII.
Information security is the practice of defending information from unauthorised access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It includes ensuring confidentiality, integrity and availability of data.
The purpose of information security is to protect the organisation’s assets and intellectual property from attacks by hackers and other security threats.
Information security threats are potential dangers that can be posed by malicious actors to organisations’ data and infrastructure. The risks are often associated with poor information security practices and/or inadequate protection measures.
The most common information security threats include:
Information security threats are constantly evolving and growing in complexity. The threats come from both outside and inside the organisation, and they can strike at any time.
Attributes are a way to group controls. It’s easier to match your control choice to standard industry specifications and terminology if you look at the attributes of the control. In control 6.2, the following attributes can be used.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Human Resource Security | #Governance and Ecosystem |
The purpose of control 6.2 is to ensure that all employees have an understanding of their role in protecting the company’s assets and confidential information, especially as it relates to the role they are employed for.
Control 6.2 terms and conditions of employment is an important part of your organisation’s information security management system (ISMS). It helps you meet your obligations under the GDPR and other legal requirements relating to personal data processing and information security.
The purpose of this control is to ensure personnel understand their information security responsibilities in the organisation.
To help achieve this, it is important that employees are made aware of their confidentiality obligations and other relevant terms and conditions before they commence employment with an organisation. This may also include any restrictions on the use of technology or social media platforms.
This control should be reviewed annually to ensure that any changes in organisational structure or procedures are reflected in the documentation provided to employees.
The most obvious way to meet the requirements for Control 6.2, terms and conditions of employment is to provide all employees with a written employment contract, or offer letter, which outlines all the terms and conditions of their employment, particularly in the area of information security.
Also, the contractual obligations for personnel should take into consideration the organisation’s information security policy and relevant topic-specific policies, and the following points should be well covered in the employment contractual agreement:
Finally, the organisation should ensure that personnel agree to terms and conditions concerning information security.
Control 6.2 in ISO 27002:2022 is not exactly a new control in this ISO series. Published in February 2022, this version of ISO 27002 is an upgrade of the 2013 version. Hence, control 6.2 is a modified version of control 7.1.2 in ISO 27002:2013.
The 2022 version comes with an attributes table and a statement of purpose which is not available in control 7.1.2.
Having said that, there is no other obvious difference between the two controls apart from the change in control number. While the phraseology of the two controls may not be similar, the content and context are virtually the same.
The answer is simple: it depends on the company’s size and the way its employees are organised.
In smaller companies, one person may be responsible for all HR functions (e.g. recruitment, contracts, training). It may also be possible to delegate these responsibilities to another person within the company. This person would make sure that Control 6.2 is followed correctly by all employees but would not be responsible for its development or interpretation.
This function may also be a shared responsibility among all managers and supervisors throughout the organisation—from the CEO down through middle management levels.
However, for proper implementation of this control, it is best the HR manager is responsible, with oversight from the ISMS manager.
The new ISO 27002:2022 standard is not a significant update. As a result, you will not need to make any significant modifications in order to be compliant with the most recent version of ISO 27002.
Nonetheless, if you are planning to implement an ISMS (or even ISMS certification), it is crucial that you evaluate the current edition of ISO 27002 and confirm that your security procedures are adequate.
Additional information on how the new ISO 27002 will affect your information security operations and ISO 27001 certification may be found in our ISO 27002:2022 handbook, which is available for free download on our website.
ISMS.online is a cloud-based solution that helps companies show compliance with ISO 27002. The ISMS.online solution can be used to manage the requirements of ISO 27002 and ensure that your organisation remains compliant with the new standard.
The ISO 27002 standard has been updated to reflect the growing cyber threats we face as a society. The current standard was first published in 2005 and revised in 2013 to reflect changes in technology, regulations and industry standards. The new version of ISO 27002 incorporates these updates into one document, as well as adding new requirements for organisations to help them better protect their data assets from cyber attacks.
The ISMS.online solution helps organisations implement ISO 27002: 2022 by providing an easy-to-use framework for documenting information security policies and procedures. It also provides a centralised location where you can store all your compliance documentation so it can be easily accessed by different stakeholders in the company (e.g. HR, IT).
Our platform is user-friendly and straightforward. It is not only for highly technical individuals; it is for everyone in your company.
Get in touch today to book a demo.
We’ll give you an 81% headstart
from the moment you log in
Book your demo
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
