ISO 27002:2022, Control 6.2 – Terms and Conditions of Employment

ISO 27002:2022 Revised Controls

Book a demo

from,above,of,group,of,diverse,colleagues,in,formal,clothing

What Is Control 6.2 – Terms and Conditions of Employment?

Control 6.2, terms and conditions of employment in the new ISO 27002:2022 talks about the need for contractual agreement to inform any new employee about their responsibility as well as that of the organisation towards information security.

What this means is that employees should know about the company’s information security policy, as well as the roles and responsibilities of people who work with information security in the company. This can be done by having personnel sign an employment contract or something similar.

Such a contractual agreement will typically outline the general requirements for protecting information assets, including physical security, environmental controls, access controls and contingency planning as well as a confidentiality agreement if they’ll be working with PII.

Information Security Explained

Information security is the practice of defending information from unauthorised access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It includes ensuring confidentiality, integrity and availability of data.

The purpose of information security is to protect the organisation’s assets and intellectual property from attacks by hackers and other security threats.

Information Security Threats Explained

Information security threats are potential dangers that can be posed by malicious actors to organisations’ data and infrastructure. The risks are often associated with poor information security practices and/or inadequate protection measures.

The most common information security threats include:

  • Data breaches and loss.
  • Phishing attacks.
  • Malware and ransomware.
  • Virus and worm infections.
  • DDoS attacks.

Information security threats are constantly evolving and growing in complexity. The threats come from both outside and inside the organisation, and they can strike at any time.

Get a Headstart on ISO 27001
  • All updated with the 2022 control set
  • Make 81% progress from the minute you log in
  • Simple and easy to use
Book your demo
img

Attributes Table

Attributes are a way to group controls. It’s easier to match your control choice to standard industry specifications and terminology if you look at the attributes of the control. In control 6.2, the following attributes can be used.

Control TypeInformation Security Properties Cybersecurity ConceptsOperational Capabilities Security Domains
#Preventive#Confidentiality
#Integrity
#Availability
#Protect#Human Resource Security#Governance and Ecosystem

What Is The Purpose of Control 6.2?

The purpose of control 6.2 is to ensure that all employees have an understanding of their role in protecting the company’s assets and confidential information, especially as it relates to the role they are employed for.

Obligations Under Control 6.2

Control 6.2 terms and conditions of employment is an important part of your organisation’s information security management system (ISMS). It helps you meet your obligations under the GDPR and other legal requirements relating to personal data processing and information security.

The purpose of this control is to ensure personnel understand their information security responsibilities in the organisation.

To help achieve this, it is important that employees are made aware of their confidentiality obligations and other relevant terms and conditions before they commence employment with an organisation. This may also include any restrictions on the use of technology or social media platforms.

This control should be reviewed annually to ensure that any changes in organisational structure or procedures are reflected in the documentation provided to employees.

What Is Involved and How Do You Meet the Requirements

The most obvious way to meet the requirements for Control 6.2, terms and conditions of employment is to provide all employees with a written employment contract, or offer letter, which outlines all the terms and conditions of their employment, particularly in the area of information security.

Also, the contractual obligations for personnel should take into consideration the organisation’s information security policy and relevant topic-specific policies, and the following points should be well covered in the employment contractual agreement:

  • confidentiality or non-disclosure agreements that personnel who are given access to confidential information should sign prior to being given access to information and other associated assets;
  • legal responsibilities and rights [e.g. regarding copyright laws or data protection legislation;
  • responsibilities for the classification of information and management of the organisation’s
  • information and other associated assets, information processing facilities and information services handled by the personnel;
  • responsibilities for the handling of information received from interested parties;
  • actions to be taken if personnel disregard the organisation’s security requirements.

Finally, the organisation should ensure that personnel agree to terms and conditions concerning information security.

Get a Headstart
on ISO 27002

The only compliance
solution you need
Book your demo

Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

Changes and Differences from ISO 27002:2013

Control 6.2 in ISO 27002:2022 is not exactly a new control in this ISO series. Published in February 2022, this version of ISO 27002 is an upgrade of the 2013 version. Hence, control 6.2 is a modified version of control 7.1.2 in ISO 27002:2013.

The 2022 version comes with an attributes table and a statement of purpose which is not available in control 7.1.2.

Having said that, there is no other obvious difference between the two controls apart from the change in control number. While the phraseology of the two controls may not be similar, the content and context are virtually the same.

Who Is in Charge of This Process?

The answer is simple: it depends on the company’s size and the way its employees are organised.

In smaller companies, one person may be responsible for all HR functions (e.g. recruitment, contracts, training). It may also be possible to delegate these responsibilities to another person within the company. This person would make sure that Control 6.2 is followed correctly by all employees but would not be responsible for its development or interpretation.

This function may also be a shared responsibility among all managers and supervisors throughout the organisation—from the CEO down through middle management levels.

However, for proper implementation of this control, it is best the HR manager is responsible, with oversight from the ISMS manager.

What Do These Changes Mean for You?

The new ISO 27002:2022 standard is not a significant update. As a result, you will not need to make any significant modifications in order to be compliant with the most recent version of ISO 27002.

Nonetheless, if you are planning to implement an ISMS (or even ISMS certification), it is crucial that you evaluate the current edition of ISO 27002 and confirm that your security procedures are adequate.

Additional information on how the new ISO 27002 will affect your information security operations and ISO 27001 certification may be found in our ISO 27002:2022 handbook, which is available for free download on our website.

How ISMS.Online Helps

ISMS.online is a cloud-based solution that helps companies show compliance with ISO 27002. The ISMS.online solution can be used to manage the requirements of ISO 27002 and ensure that your organisation remains compliant with the new standard.

The ISO 27002 standard has been updated to reflect the growing cyber threats we face as a society. The current standard was first published in 2005 and revised in 2013 to reflect changes in technology, regulations and industry standards. The new version of ISO 27002 incorporates these updates into one document, as well as adding new requirements for organisations to help them better protect their data assets from cyber attacks.

The ISMS.online solution helps organisations implement ISO 27002: 2022 by providing an easy-to-use framework for documenting information security policies and procedures. It also provides a centralised location where you can store all your compliance documentation so it can be easily accessed by different stakeholders in the company (e.g. HR, IT).

Our platform is user-friendly and straightforward. It is not only for highly technical individuals; it is for everyone in your company.

Get in touch today to book a demo.

Are you ready for
the new ISO 27002

We’ll give you an 81% headstart
from the moment you log in
Book your demo

New Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.7NewThreat intelligence
5.23NewInformation security for use of cloud services
5.30NewICT readiness for business continuity
7.4NewPhysical security monitoring
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.16NewMonitoring activities
8.23NewWeb filtering
8.28NewSecure coding

Organisational Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.105.1.1, 05.1.2Policies for information security
5.206.1.1Information security roles and responsibilities
5.306.1.2Segregation of duties
5.407.2.1Management responsibilities
5.506.1.3Contact with authorities
5.606.1.4Contact with special interest groups
5.7NewThreat intelligence
5.806.1.5, 14.1.1Information security in project management
5.908.1.1, 08.1.2Inventory of information and other associated assets
5.1008.1.3, 08.2.3Acceptable use of information and other associated assets
5.1108.1.4Return of assets
5.12 08.2.1Classification of information
5.1308.2.2Labelling of information
5.1413.2.1, 13.2.2, 13.2.3Information transfer
5.1509.1.1, 09.1.2Access control
5.1609.2.1Identity management
5.17 09.2.4, 09.3.1, 09.4.3Authentication information
5.1809.2.2, 09.2.5, 09.2.6Access rights
5.1915.1.1Information security in supplier relationships
5.2015.1.2Addressing information security within supplier agreements
5.2115.1.3Managing information security in the ICT supply chain
5.2215.2.1, 15.2.2Monitoring, review and change management of supplier services
5.23NewInformation security for use of cloud services
5.2416.1.1Information security incident management planning and preparation
5.2516.1.4Assessment and decision on information security events
5.2616.1.5Response to information security incidents
5.2716.1.6Learning from information security incidents
5.2816.1.7Collection of evidence
5.2917.1.1, 17.1.2, 17.1.3Information security during disruption
5.30NewICT readiness for business continuity
5.3118.1.1, 18.1.5Legal, statutory, regulatory and contractual requirements
5.3218.1.2Intellectual property rights
5.3318.1.3Protection of records
5.3418.1.4Privacy and protection of PII
5.3518.2.1Independent review of information security
5.3618.2.2, 18.2.3Compliance with policies, rules and standards for information security
5.3712.1.1Documented operating procedures

People Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
6.107.1.1Screening
6.207.1.2Terms and conditions of employment
6.307.2.2Information security awareness, education and training
6.407.2.3Disciplinary process
6.507.3.1Responsibilities after termination or change of employment
6.613.2.4Confidentiality or non-disclosure agreements
6.706.2.2Remote working
6.816.1.2, 16.1.3Information security event reporting

Physical Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
7.111.1.1Physical security perimeters
7.211.1.2, 11.1.6Physical entry
7.311.1.3Securing offices, rooms and facilities
7.4NewPhysical security monitoring
7.511.1.4Protecting against physical and environmental threats
7.611.1.5Working in secure areas
7.711.2.9Clear desk and clear screen
7.811.2.1Equipment siting and protection
7.911.2.6Security of assets off-premises
7.1008.3.1, 08.3.2, 08.3.3, 11.2.5Storage media
7.1111.2.2Supporting utilities
7.1211.2.3Cabling security
7.1311.2.4Equipment maintenance
7.1411.2.7Secure disposal or re-use of equipment

Technological Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
8.106.2.1, 11.2.8User endpoint devices
8.209.2.3Privileged access rights
8.309.4.1Information access restriction
8.409.4.5Access to source code
8.509.4.2Secure authentication
8.612.1.3Capacity management
8.712.2.1Protection against malware
8.812.6.1, 18.2.3Management of technical vulnerabilities
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.1312.3.1Information backup
8.1417.2.1Redundancy of information processing facilities
8.1512.4.1, 12.4.2, 12.4.3Logging
8.16NewMonitoring activities
8.1712.4.4Clock synchronization
8.1809.4.4Use of privileged utility programs
8.1912.5.1, 12.6.2Installation of software on operational systems
8.2013.1.1Networks security
8.2113.1.2Security of network services
8.2213.1.3Segregation of networks
8.23NewWeb filtering
8.2410.1.1, 10.1.2Use of cryptography
8.2514.2.1Secure development life cycle
8.2614.1.2, 14.1.3Application security requirements
8.2714.2.5Secure system architecture and engineering principles
8.28NewSecure coding
8.2914.2.8, 14.2.9Security testing in development and acceptance
8.3014.2.7Outsourced development
8.3112.1.4, 14.2.6Separation of development, test and production environments
8.3212.1.2, 14.2.2, 14.2.3, 14.2.4Change management
8.3314.3.1Test information
8.3412.7.1Protection of information systems during audit testing
Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Explore ISMS.online's platform with a self-guided tour - Start Now