When all said and done, there may be times when you need to take action against those who have breached your policies. That’s why this ISO27001 control is necessary. It expects that you have a process to deal with those who deliberately, or accidentally breach your policies.

Sounds simple right? Well, as always there is a little more to this control than first meets the eye.

What does the standard require?

The standard states that “A disciplinary process shall be formalised and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.” (A6.4 – Disciplinary process).

Although you might initially think of disciplinary processes being related to personnel, notice that this ISO27001 control also mentions other relevant interested parties. Therefore, this isn’t just a matter for your HR function to be concerned with.  You need to speak to the area of the business that deals with supplier agreements (including contractors) to ensure relevant clauses are in place which outline action that can be taken, should an incident occur.

By now you will have already defined relevant policies by implementing Annex A Control A5.1 – Information Security Policies, which will include an Acceptable Use Policy. This requirement is covered in Annex A control A5.10 - Acceptable use of information and other associated assets.

You will also have contracts and agreements in place because you implemented Annex A controls A6.2 (Terms and conditions of employment), and A5.20 (Addressing information security within supplier agreements) respectively.

Why is this required?

If a vendor or one of your personnel does something which is in contravention of your policies and practices, you need to know that there is a process that you can rely on, which ensures continued security and safety of your business.

Interested parties need to know what is defined as a disciplinary matter, or a breach of contract so that they not only understand the boundaries, but the implications to them.

Without a disciplinary process, you could do something which leaves you at risk from claims of unfair dismissal or not following due process.

What the auditor is looking for

The auditor will be looking for a formally documented disciplinary process, which has been communicated appropriately the interested parties, including your personnel.  Evidence that the auditor will be looking for, will typically include;

• Employment contracts

• Contractor contracts

• Supplier Agreements

• Disciplinary process

• Security Policies (which include details of non-compliance)

• Employee Handbook

• Communication of policies

If there have been any disciplinary actions, the auditor may also ask to see how the matter was managed and documented.

What do you need to do?

Work with your HR specialist to understand what would be considered a disciplinary matter. Normally this falls into two categories;

• Misconduct

• Gross misconduct

Review what is defined in both categories and ensure that you include a reference to information security.  For example, the definition of misconduct may include the theft of company assets. If this is included then you’re in a good place, because data is clearly a company asset.  However, it would be beneficial to specifically identify that a breach of data protection or information security policies would be deemed a disciplinary matter.

Remembering that this is about interested parties too, it’s important to review supplier contracts and see what they say in relation to breach of contract. For example, can the contract be cancelled if there is a breach? What actions would be taken following a breach?

Once the disciplinary process is in place, be sure to communicate this to interested parties.

Q & A

What should I do if there isn’t a disciplinary process?

This is a topic which is wider than ISO27001, so you would need to speak to a HR specialist or legal representative who can advise you on what you need to put in place. Having a process is foundational when it comes to running a business, as you need it for internal personnel and suppliers.  This is not something you want to leave to chance.

Difficulty rating

We rate this a 1 out of 5 difficulty rating. This isn’t difficult, but it does require input from your HR function. They need to define process and you need to provide input and support.

More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.

For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.