ISO 27002:2022 – Control 6.2 – Terms and Conditions of Employment

What Is Control 6.2 – Terms and Conditions of Employment?

Control 6.2, terms and conditions of employment in the new ISO 27002:2022 talks about the need for contractual agreement to inform any new employee about their responsibility as well as that of the organisation towards information security.

What this means is that employees should know about the company’s information security policy, as well as the roles and responsibilities of people who work with information security in the company. This can be done by having personnel sign an employment contract or something similar.

Such a contractual agreement will typically outline the general requirements for protecting information assets, including physical security, environmental controls, access controls and contingency planning as well as a confidentiality agreement if they’ll be working with PII.

Information Security Explained

Information security is the practice of defending information from unauthorised access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It includes ensuring confidentiality, integrity and availability of data.

The purpose of information security is to protect the organisation’s assets and intellectual property from attacks by hackers and other security threats.

Information Security Threats Explained

Information security threats are potential dangers that can be posed by malicious actors to organisations’ data and infrastructure. The risks are often associated with poor information security practices and/or inadequate protection measures.

The most common information security threats include:

• Data breaches and loss.
• Phishing attacks.
• Malware and ransomware.
• Virus and worm infections.
• DDoS attacks.

Information security threats are constantly evolving and growing in complexity. The threats come from both outside and inside the organisation, and they can strike at any time.

Attributes Table

Attributes are a way to group controls. It’s easier to match your control choice to standard industry specifications and terminology if you look at the attributes of the control. In control 6.2, the following attributes can be used.

What Is The Purpose of Control 6.2?

The purpose of control 6.2 is to ensure that all employees have an understanding of their role in protecting the company’s assets and confidential information, especially as it relates to the role they are employed for.

Obligations Under Control 6.2

Control 6.2 terms and conditions of employment is an important part of your organisation’s information security management system (ISMS). It helps you meet your obligations under the GDPR and other legal requirements relating to personal data processing and information security.

The purpose of this control is to ensure personnel understand their information security responsibilities in the organisation.

To help achieve this, it is important that employees are made aware of their confidentiality obligations and other relevant terms and conditions before they commence employment with an organisation. This may also include any restrictions on the use of technology or social media platforms.

This control should be reviewed annually to ensure that any changes in organisational structure or procedures are reflected in the documentation provided to employees.

What Is Involved and How Do You Meet the Requirements

The most obvious way to meet the requirements for Control 6.2, terms and conditions of employment is to provide all employees with a written employment contract, or offer letter, which outlines all the terms and conditions of their employment, particularly in the area of information security.

Also, the contractual obligations for personnel should take into consideration the organisation’s information security policy and relevant topic-specific policies, and the following points should be well covered in the employment contractual agreement:

• confidentiality or non-disclosure agreements that personnel who are given access to confidential information should sign prior to being given access to information and other associated assets;
• legal responsibilities and rights [e.g. regarding copyright laws or data protection legislation;
• responsibilities for the classification of information and management of the organisation’s
• information and other associated assets, information processing facilities and information services handled by the personnel;
• responsibilities for the handling of information received from interested parties;
• actions to be taken if personnel disregard the organisation’s security requirements.

Finally, the organisation should ensure that personnel agree to terms and conditions concerning information security.

Changes and Differences from ISO 27002:2013

Control 6.2 in ISO 27002:2022 is not exactly a new control in this ISO series. Published in February 2022, this version of ISO 27002 is an upgrade of the 2013 version. Hence, control 6.2 is a modified version of control 7.1.2 in ISO 27002:2013.

The 2022 version comes with an attributes table and a statement of purpose which is not available in control 7.1.2.

Having said that, there is no other obvious difference between the two controls apart from the change in control number. While the phraseology of the two controls may not be similar, the content and context are virtually the same.

Who Is in Charge of This Process?

The answer is simple: it depends on the company’s size and the way its employees are organised.

In smaller companies, one person may be responsible for all HR functions (e.g. recruitment, contracts, training). It may also be possible to delegate these responsibilities to another person within the company. This person would make sure that Control 6.2 is followed correctly by all employees but would not be responsible for its development or interpretation.

This function may also be a shared responsibility among all managers and supervisors throughout the organisation—from the CEO down through middle management levels.

However, for proper implementation of this control, it is best the HR manager is responsible, with oversight from the ISMS manager.

What Do These Changes Mean for You?

The new ISO 27002:2022 standard is not a significant update. As a result, you will not need to make any significant modifications in order to be compliant with the most recent version of ISO 27002.

Nonetheless, if you are planning to implement an ISMS (or even ISMS certification), it is crucial that you evaluate the current edition of ISO 27002 and confirm that your security procedures are adequate.

Additional information on how the new ISO 27002 will affect your information security operations and ISO 27001 certification may be found in our ISO 27002:2022 handbook, which is available for free download on our website.

New ISO 27002 Controls

How ISMS.Online Helps

ISMS.online is a cloud-based solution that helps companies show compliance with ISO 27002. The ISMS.online solution can be used to manage the requirements of ISO 27002 and ensure that your organisation remains compliant with the new standard.

The ISO 27002 standard has been updated to reflect the growing cyber threats we face as a society. The current standard was first published in 2005 and revised in 2013 to reflect changes in technology, regulations and industry standards. The new version of ISO 27002 incorporates these updates into one document, as well as adding new requirements for organisations to help them better protect their data assets from cyber attacks.

The ISMS.online solution helps organisations implement ISO 27002: 2022 by providing an easy-to-use framework for documenting information security policies and procedures. It also provides a centralised location where you can store all your compliance documentation so it can be easily accessed by different stakeholders in the company (e.g. HR, IT).

Our platform is user-friendly and straightforward. It is not only for highly technical individuals; it is for everyone in your company.

Get in touch today to book a demo.