People Controls define eight essential measures in Annex A.6 that transform every team member into an active contributor to your organization’s security posture. This post describes each control, outlines step-by-step implementation guidance, and details verification techniques, from competence audits and social-engineering tests to privilege reviews and incident analyses, to ensure measurable effectiveness. For a complete map of all Annex A controls and their relationships, refer to our Annex A Controls Overview.
This domain covers all measures related to personnel screening, onboarding, training, ongoing awareness, and offboarding to ensure that people remain assets rather than liabilities.
A.6.1 Screening
Background checks, identity verification, and vetting procedures for prospective employees and contractors.
How to implement:
Define screening criteria based on role risk level (e.g., access to sensitive data requires criminal and credit checks).
Integrate screening into hiring workflows, with HR and hiring managers collaborating on approvals.
Document clearance levels and store screening records securely for audit.
How to verify:
Review HR records to confirm checks were performed before granting system access.
Audit clearance logs for completeness and retention compliance.
A.6.2 Terms and Conditions of Employment
Employment contracts and policies that include confidentiality, non-disclosure, and security-related obligations.
How to implement:
Embed security clauses in employment agreements (e.g., data protection, acceptable use, reporting requirements).
Ensure all staff sign updated contracts when policies change.
Link the contract management system to the policy repository for version control.
How to verify:
Sample-check signed contracts for current security clauses.
Confirm HR system flags unsigned or outdated agreements.
A.6.3 Information Security Awareness, Education, and Training
Programs to educate employees on security policies, threats, and best practices.
How to implement:
Develop mandatory onboarding training modules covering password hygiene, phishing avoidance, and data handling.
Schedule annual refresher courses and targeted sessions after major incidents.
Use quizzes or simulations to reinforce learning.
How to verify:
Extract training completion reports from your LMS.
Measure quiz scores and track improvements over time.
A.6.4 Disciplinary Process
Procedures for handling violations of security policies or misconduct.
How to implement:
Define clear disciplinary steps for policy breaches, from warnings to termination.
Communicate the process in employee handbooks and policy portals.
Train managers on consistent enforcement practices.
How to verify:
Review HR incident records for follow-through on disciplinary actions.
Check that corrective actions align with documented procedures.
A.6.5 Responsibilities after Termination or Change of Employment
Ensuring access rights are revoked and company property is returned when staff leave or change roles.
How to implement:
Integrate exit checklists into offboarding processes, covering account deactivation and asset retrieval.
Automate deprovisioning workflows in IT systems.
Conduct exit interviews to remind departing staff of ongoing confidentiality obligations.
How to verify:
Audit deprovisioning logs to confirm timely removal of access.
Inspect asset tracking records for returned equipment.
A.6.6 Role-Based Security Responsibilities
Assigning security duties based on job function and access levels.
How to implement:
Map roles to required security tasks (e.g., system admins handle patch management).
Document responsibilities in job descriptions and RACI matrices.
Include security KPIs in performance reviews.
How to verify:
Review role documentation and confirm alignment with system permissions.
Check performance records for security-related objectives.
A.6.7 Outsider Personnel Security
Security measures for consultants, contractors, and temporary staff.
How to implement:
Apply the same screening and training requirements to third-party personnel as employees.
Define time-bound access with automatic expiry for contractor accounts.
Require non-disclosure agreements before granting any system or data access.
How to verify:
Audit contractor account logs for expiration and appropriate access levels.
Check NDA records for all active third-party personnel.
A.6.8 Monitoring and Measuring Human-Related Security Controls
What it is: Ongoing evaluation of people-centric controls through metrics and reviews.
How to implement:
Define KPIs such as training completion rates, policy acknowledgement percentages, and incident reports per user.
Include these metrics in monthly or quarterly security dashboards.
Review trends and adjust programs based on performance data.
How to verify:
Inspect dashboard data sources for accuracy.
Track historical KPI trends to demonstrate continuous improvement.
By applying these People Controls, you turn employees into an empowered line of defense and significantly reduce human-related security risks. Next, explore our deep dive into Organizational Controls (A.5), Physical Controls (A.7), and Technological Controls (A.8) to complete your Annex A implementation roadmap.
