- Controls A.6.1 through A.6.8 cover the entire employee lifecycle: screening before hiring, contractual provisions, awareness training, disciplinary process, post-termination obligations, remote work, and reporting security events.
- Screening (A.6.1) must be proportionate and comply with the legal framework. In Germany, the options are more limited than in other countries.
- Awareness training (A.6.3) must be regular, documented, and tailored to employee roles. One-time mandatory training at hiring is not sufficient.
- Secure departure (A.6.5) encompasses revoking all access rights, returning assets, and reminding the employee of continuing confidentiality obligations.
- Remote work (A.6.7) requires dedicated security rules for VPN usage, device security, workspace environment, and handling confidential information.
The Human Factor
Technical security measures can be as sophisticated as they come: if an employee writes their password on a sticky note on their monitor, clicks on a phishing email, or takes confidential data with them when they leave, neither firewall nor encryption will help. Controls A.6.1 through A.6.8 address precisely this factor and cover the entire lifecycle of an employee from a security perspective.
ISO 27001:2022 groups these controls under "People controls." This is a change from the predecessor version, where personnel security was distributed across multiple sections. The consolidation makes the structure clearer and underscores the importance of the topic.
For a company with around 100 employees, these controls are particularly relevant because personal relationships and informal agreements often still dominate. "I know him, he's trustworthy" then replaces the formal verification, and "he knows what to do" replaces documented training. Neither holds up in an audit.
A.6.1: Screening
What the Standard Requires
Background checks on all candidates should be carried out before employment. The checks must be proportionate, comply with the legal framework, and correspond to the protection need of the information the person will have access to.
Implementation in Germany
In Germany, the options for background checks are significantly more restricted than in the USA or UK, for example. The Federal Data Protection Act (BDSG) and the General Equal Treatment Act (AGG) set tight boundaries. What you can and should do:
Verification of qualifications: Verify certificates and certifications relevant to the position. An IT administrator claiming a CISSP certification should be able to prove it.
Resume verification: Check for plausibility and gaps. Reference checks with previous employers are permissible with the applicant's consent.
Criminal record check: For positions with special trust requirements (e.g., access to financial systems, administrator rights, access to personal data), a criminal record certificate can be requested. The requirement must be proportionate and should be announced in the job posting.
Identity verification: Verify the applicant's identity using an official ID document.
Credit check: Only for positions with direct access to financial resources and only with the applicant's consent.
What you should not do because it is legally problematic or disproportionate: blanket social media screening, credit agency inquiries without relevance to the position, medical examinations without a job-specific reason.
Tiered by Protection Need
Not every position requires the same depth of screening. Define screening tiers based on access to sensitive information:
Tier 1 (Standard): Identity verification, qualification check. Applies to all employees.
Tier 2 (Extended): Additionally criminal record check and reference verification. Applies to employees with access to confidential data or IT administration rights.
Tier 3 (Enhanced): Additionally credit check. Applies to employees with access to financial systems or payment processes.
A.6.2: Employment Contract Clauses
What the Standard Requires
Employment agreements must establish the responsibilities of employees and the organization regarding information security.
Typical Contract Clauses
Non-disclosure agreement (NDA): A confidentiality clause that extends beyond the duration of employment. It should clearly define what constitutes confidential information and what consequences a violation entails.
Obligation to comply with security policies: The employee commits to complying with the information security policy and all relevant subordinate policies.
Responsibility for assigned assets: The employee acknowledges responsibility for the devices and access provided to them.
Obligation to report security incidents: The employee commits to reporting security incidents and vulnerabilities without delay.
Consequences for violations: A reference to the disciplinary process for violations of information security policies.
Provisions for termination: Obligations upon termination of employment, particularly the return of assets and the continuing validity of confidentiality obligations.
Existing Employment Contracts
For new employees, you can incorporate the clauses directly into the employment contract. For existing employees, this is more complex because employment contract modifications require consent. Pragmatic alternatives are a separate non-disclosure agreement signed by all employees or a supplementary agreement to the existing employment contract.
A.6.3: Awareness, Education and Training
What the Standard Requires
Employees and relevant external parties must receive appropriate awareness training and regular updates on the information security policies relevant to their work.
Awareness vs. Training
There is an important distinction between awareness and training. Awareness means: employees know that information security is important, understand the fundamental risks, and know how they should behave. Training goes deeper: specific roles receive specific training, e.g., administrators on secure system configuration or developers on secure coding.
Program for Around 100 Employees
Initial training at onboarding: Every new employee receives an introduction to information security within the first week. Content: security policy, relevant policies, password hygiene, phishing recognition, reporting channels for security incidents, clean desk, screen lock.
Annual refresher: Once a year, all employees receive a refresher training. This should cover current threats, new or changed policies, and lessons learned from security incidents.
Role-specific training: IT administrators, managers, and employees with access to particularly sensitive data receive additional training tailored to their role.
Phishing simulations: Regular phishing simulations (quarterly) test employee behavior under realistic conditions. Anyone who clicks on a simulated phishing email receives additional brief training.
Event-driven training: Additional training is conducted after security incidents, when new systems are introduced, or when significant policy changes occur.
Documentation
Every training session must be documented: date, content, participant list, test results if applicable. In ISMS Lite, training records are managed per employee, and overdue refreshers automatically appear on the dashboard. The documentation is the evidence for the auditor that A.6.3 is lived.
A.6.4: Disciplinary Process
What the Standard Requires
A formalized and communicated disciplinary process for handling violations of information security policies must exist.
Implementation
The disciplinary process does not need to be developed independently for information security. It can be integrated into the company's existing disciplinary procedure. What is important is that violations of information security policies are explicitly named as disciplinarily relevant misconduct.
The process should be tiered:
Tier 1: Discussion and instruction: For first-time, minor violations (e.g., screen not locked, visitor escort forgotten), a clarifying discussion with the supervisor and possibly the CISO takes place.
Tier 2: Written warning: For repeated or more serious violations (e.g., sharing access credentials, using unauthorized software), a documented warning follows.
Tier 3: Formal reprimand: For serious or repeated violations despite warning.
Tier 4: Employment law consequences: In grave cases (e.g., intentional data theft, deliberate sabotage), employment law consequences up to and including termination may follow.
Important: The disciplinary process must be known to employees before it is applied. If an employee first learns that there are consequences when they violate a rule, that is too late.
A.6.5: Responsibilities After Termination or Change of Employment
What the Standard Requires
The duties and responsibilities in the area of information security that remain in effect after termination or change of employment must be defined, enforced, and communicated.
Secure Departure
The departure of an employee is a critical moment from a security perspective. A structured offboarding process includes:
Access revocation: All user accounts are deactivated on the last working day, VPN access revoked, certificates revoked. In the case of immediate termination, this happens immediately.
Asset return: Laptop, smartphone, keys, access cards, tokens, USB sticks, printed documents. Maintain a checklist that is created when assets are issued and signed off upon return.
Reminder of confidentiality obligations: In the exit interview, the employee is reminded of the continuing non-disclosure agreement. This should be documented.
Knowledge transfer: Before departure, it must be ensured that the employee's operationally relevant knowledge is secured. Passwords known only to the employee, documentation that exists only in their head, and configurations that only they understand must be handed over.
Change of shared credentials: If the employee had access to shared accounts or passwords (which ideally should not happen, but does in practice), these credentials must be changed.
Role Changes
Not only departure but also internal role changes are security-relevant. When an employee moves from accounting to sales, they must lose accounting access rights and receive sales access rights. In practice, employees accumulate new rights with each role change without old ones being revoked (so-called "privilege creep"). A.6.5 requires that these situations are also addressed.
A.6.6: Confidentiality or Non-Disclosure Agreements
What the Standard Requires
Requirements for non-disclosure or confidentiality agreements must be identified, documented, regularly reviewed, and signed by employees and relevant external parties.
Implementation
For employees, the non-disclosure agreement is typically part of the employment contract or a separate agreement signed upon hiring (see A.6.2).
For external parties (consultants, freelancers, suppliers, visitors with access to sensitive areas), separate NDAs are needed. These should define what information is confidential, how long the confidentiality obligation lasts, what usage restrictions apply, and what consequences a violation entails.
A.6.7: Remote Working
What the Standard Requires
Security measures must be implemented when employees work at remote locations to protect information that is accessed, processed, or stored outside the organization's premises.
Rules for Remote Work
For a company with around 100 employees, a significant proportion of whom presumably work regularly from home, A.6.7 is an important control. The key rules:
VPN requirement: Access to internal systems occurs exclusively via VPN. Exceptions only for cloud services secured over the open internet with MFA.
Device security: Only approved, IT-managed devices may be used for work (or clear BYOD rules exist). Full-disk encryption, current patches, and endpoint protection are mandatory.
Workspace environment: Confidential conversations must not be held in public environments (cafe, train). Screens must be protected from viewing by third parties (privacy screen, positioning). Printed confidential documents must be securely stored and destroyed.
Network security: Public Wi-Fi may only be used with VPN. Use without VPN is prohibited.
Physical security at home: If working regularly from home, the workspace should be lockable. Company laptops are locked when not in use and not left out in the open.
A.6.8: Information Security Event Reporting
What the Standard Requires
Employees must have a mechanism to report observed or suspected information security events in a timely manner through appropriate channels.
Establishing Reporting Channels
Define clear reporting channels that every employee knows:
Primary channel: Email to a defined address (e.g., security@company.com) or ticket in the IT helpdesk system.
Secondary channel: Phone call to the CISO or IT management when the primary channel is unavailable or for particularly urgent incidents.
Anonymous channel: An option for anonymous reporting can be useful to lower inhibitions, particularly when the employee fears the report will reflect back on them (e.g., because they made a mistake themselves).
Fostering a Reporting Culture
The technical reporting channels alone are not enough. What matters is the culture: employees must know that they should report security events, even if it turns out to be a false alarm. "Better to report once too many than once too few" must be the clear message. And they must trust that a report will have no negative consequences for the reporter, even if they made a mistake that led to the event (no-blame culture).
Typical Audit Findings for A.6.1-A.6.8
Finding 1: No Documented Screening Process
Screening happens informally, but there is no documented process defining which checks are performed for which positions.
Finding 2: Missing Training Records
Awareness training takes place, but there are no participant lists, no documentation of content, and no evidence of regularity.
Finding 3: Incomplete Offboarding
When employees leave, not all access is revoked in a timely manner. There is no checklist, and responsibilities between HR, IT, and the business unit are unclear.
Finding 4: Remote Work Without Security Rules
Employees regularly work from home, but there is no documented policy defining security requirements for remote work.
Finding 5: Employees Do Not Know the Reporting Channels
In interviews with employees, it becomes apparent that they do not know how or where to report a security incident.
How ISMS Lite Supports Compliance
Onboarding checklist: A configurable checklist containing all security-relevant steps for new employees: screening, contract clauses, policy acknowledgment, initial training, asset issuance.
Training management: Planning, execution, and documentation of awareness training. Automatic reminders for overdue refresher training. Evidence per employee.
Offboarding workflow: Structured process for secure departure: asset return, access revocation, reminder of confidentiality obligations. With confirmation steps and audit trail.
Document management: Non-disclosure agreements and acknowledgment confirmations are versioned and linked to the employee profile.
Dashboard: Overview of the security status of all employees: Who completed which training? Whose acknowledgment confirmation is overdue? Which offboarding processes are open?
Further Reading
- Building a Security Awareness Program: From Obligation to Security Culture
- Training Records in the ISMS: What You Need to Document
- Information Security in Onboarding: Sensitizing New Employees from Day One
- Recognizing and Reporting Phishing: Practical Knowledge for All Employees
- Secure Remote Work and Home Office: Policies and Technical Measures