ISO 27002:2022, Control 6.4. Disciplinary Process talks about the need for organisations to put in place some form of disciplinary process to serve as a deterrent so that personnel will not commit information security violations.
This process should be formally communicated and a suitable penalty designed for employees and other relevant interested parties who commit an information security policy violation.
Information security policy violation is a breach of the rules or laws governing the proper handling of information. Information security policies are established by organisations to protect confidential, proprietary and personal data, such as customer records and credit card numbers. Information security policies also include computer security policies that help ensure the safety and integrity of data stored on computers.
For example, if you don’t have permission from your supervisor to use company email to send personal emails, doing so may result in a violation of company policy. In addition, if you make a mistake while using company equipment or software and cause damage to it or the data stored on it, that could also be considered an information security policy violation.
If an employee violates an organisation’s information security policy, he or she could be subject to disciplinary action or termination from employment. In some cases, a company may choose not to terminate an employee who breaks its computer usage policy, but instead take other appropriate measures to prevent future violations of company policy.
Controls can be grouped using attributes. When you look at the control’s attributes, you can more easily relate it to established industry requirements and terminology. The following attributes are in control 6.4.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive #Corrective | #Confidentiality #Integrity #Availability | #Protect #Respond | #Human Resource Security | #Governance and Ecosystem |
The purpose of the disciplinary process is to ensure personnel and other relevant interested parties understand the consequences of an information security policy violation.
Apart from ensuring that employees and other relevant interested parties understand the consequences of information security policy violations, control 6.4 is designed to deter and help deal with those that violate these policies.
A key element of an effective information security programme is the ability to implement appropriate disciplinary actions for employees who violate information security policies and procedures. This way, employees are aware of the consequences of violating established policies and procedures, thus reducing the potential for intentional or accidental data breaches.
The following are examples of activities that may be included when implementing this control:
The disciplinary actions spelled out in the framework/document should be taken promptly following an incident, to discourage others who may want to violate organisational policies.
To meet the requirements of control 6.4, disciplinary action must be taken when there is evidence of non-compliance with the policies, procedures, or regulations of the organisation. This includes non-compliance with legislation and regulations that apply to the organisation.
According to control 6.4, the formal disciplinary process should provide for a graduated response that takes into consideration the following factors:
The action should take into account all pertinent legal, legislative, regulatory, contractual, and corporate obligations, as well as any other pertinent circumstances.
If you are familiar with ISO 27002:2013, you will know that even though the control identity/ number has been changed, control 6.4 in ISO 27002:2022 is not exactly a new control. Rather, it is a modified version of control 7.2.3 in ISO 27002:2013.
That said, there are no significant differences between the two controls in both versions of ISO 27002. The little difference you will notice is that the control number has been changed from 7.23 to 6.4. Also, in the 2022 version of the standard, the attributes table and statement of purpose have been included. These two features are not in the 2013 version.
Aside from their different wording, these controls are basically identical in terms of their content and context. User-friendly terminology was used in ISO 27002:2022 to make sure that the standard’s users could better understand its content.
In most cases, the disciplinary process is handled by the department manager or human resources representative. It is not uncommon for the HR representative to delegate the responsibility of disciplinary action to someone else in the organisation, such as an information security specialist.
The main purpose of disciplinary action is to protect the organisation against any further violations by the employee. It also aims to prevent similar incidents from reoccurring by ensuring that all employees understand the significance of information security violations.
In order to make sure that disciplinary action is taken against an employee who has violated an organisation’s policies or procedures, it is important that there are clear guidelines for handling such situations. These guidelines should include specific instructions about how to conduct investigations and the actions that should be taken after investigations have been completed.
If you are wondering what these changes mean for you, here is a brief breakdown of the most important points:
The structure of the standard remains unchanged. Some controls have been amended, though, to clarify their meaning or improve consistency with other parts of the standard.
However, if you are intending on obtaining ISMS certification, you may need to examine your security procedures to verify they are in compliance with the revised standard.
To learn more about how the new ISO 27002 may affect your information security operations and ISO 27001 certification, please check out our free ISO 27002:2022 guide.
ISMS.Online is the leading ISO 27002 management system software that supports compliance with ISO 27002, and helps companies to align their security policies and procedures with the standard.
The cloud-based platform provides a complete set of tools to assist organisations in setting up an information security management system (ISMS) according to ISO 27002.
These tools include:
ISMS.Online also allows users to:
ISMS.Online also provides guidance on how to best implement your ISMS by providing tips on how to create policies and procedures related to aspects such as risk management, personnel security awareness training, and incident response planning.
Our platform has been designed from scratch with the help of information security experts from around the world, and we have developed it in a way that makes it easy for people without any technical knowledge about information security management systems (ISMS) to use it.
Want to see it in action?
Get in touch today to book a demo.
We’ll give you an 81% headstart
from the moment you log in
Book your demo
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
