People controls are an important part of an ISMS.
They focus on the human factor in information security and reduce the likelihood of costly errors.
When implemented correctly, people controls ensure that employees have the right knowledge and skills to handle information securely and recognize threats or incidents.
Protecting sensitive information and data is more important than ever in today’s digital world. Technological and physical threats are always evolving—but people remain the biggest risk factor for all organizations. This is why ISO 27001, the international standard for information security management, includes a series of measures in Annex A that focuses on dealing with employees.
In order to protect an organization’s information, it is crucial to implement a comprehensive information security management system (ISMS).
ISO 27001 defines 93 controls in Annex A that contribute to improving an organization's information security. These controls are divided into four categories:
The four categories facilitate the planning and implementation of measures and the selection of the right controls for the context of the organization.
In 2022, the ISO 27001 control categories were restructured to reflect current security requirements. The new version of the standard ISO 27001:2022 maintains the core processes of ISMS management, but updates the controls in Annex A to address more modern risks and the threats.
Learn more about the transition to the new ISO 27001 controls in our transition guide.
People controls are measures that organizations can implement to influence employee behaviour and protect staff in relation to information security.
The people-related controls of the ISO 27001 framework ensure that employees and other persons who have access to information systems and data have an appropriate understanding of information security and comply with it.
This means that it defines responsibilities, appropriate training and access to knowledge as well as obligations of the organization and employees with regard to the handling of sensitive information. This also includes topics such as remote working, non-disclosure agreements, onboarding and offboarding processes and responsibilities for reporting incidents.
Among other things, they include:
100% first-try pass rate in external audits on ISO 27001
People are often the weak link in information security. They can inadvertently disclose information or be targeted by phishing or social engineering attacks. Personnel-related controls help to minimise these risks by enabling employees to handle information securely.
Personnel-related controls are an essential part of a comprehensive information security strategy. The advantage of this area is that it comprises just eight measures that you can implement. We have compiled a list with a comprehensive overview of all personnel-related controls from Annex A of ISO 27001:
|
People Controls |
Annex A 6.1 |
Screening |
|
People Controls |
Annex A 6.2 |
Terms and Conditions of Employment |
|
People Controls |
Annex A 6.3 |
Information Security Awareness, Education and Training |
|
People Controls |
Annex A 6.4 |
Disciplinary Process |
|
People Controls |
Annex A 6.5 |
Responsibilities After Termination or Change of Employment |
|
People Controls |
Annex A 6.6 |
Confidentiality or Non-Disclosure Agreements |
|
People Controls |
Annex A 6.7 |
Remote Working |
|
People Controls |
Annex A 6.8 |
Information Security Event Reporting |
The implementation of people controls is a process that can be divided into several steps:
The first step in the implementation of people controls is planning. In this step, a plan is created that includes the following aspects:
The planning should be closely coordinated with the other areas of the information security management system. In this way, the people-related controls can be seamlessly integrated into the ISMS and achieve the desired objectives.
In this step, the people controls are implemented. This includes, among other things:
The implementation of people-related controls should take place within a reasonable period of time. It is important to consider the impact of the new measures on employees and the organization.
As all other controls, also the effectiveness of the people controls should be monitored regularly. The following measures, among others, can be taken for this purpose:
Monitoring and improving people controls will result in their optimisation. In this way, the organization's information security can continuously be improved.
By implementing personnel-related controls, an organization's information security can be improved. The personnel-related controls help to ensure that employees and others who have access to information systems and data have an appropriate understanding of information security and comply with it.
People controls are an important component of an ISMS. They help to influence the behaviour of employees with regard to information security and thus ensure the security of information.
Personnel-related measures provide companies with guidelines that influence the selection of employees, teach them in the handling of sensitive information and promote the secure handling of corresponding rules.
The current challenges of information security are taken into account in ISO 27001:2022 and opportunities are offered to establish an appropriate approach to modern conditions such as remote work and digital processes.
Find the right controls for your company and use our ISO 27001 checklist to find out which measures you need to implement to realise ISO 27001.
People controls are a set of measures in Annex A of ISO 27001 focused on managing human-related security risks, including training, screening, roles and responsibilities, remote work, and incident reporting. They ensure employees handle information securely and consistently.
Yes, people controls apply to all persons who have access to your information systems and data, including employees, contractors, and any external parties involved in your processes.
People controls contribute to your Information Security Management System (ISMS) by addressing the human factor in security risks. They demonstrate that you’ve considered and mitigated human-related threats, which is a requirement auditors look for when evaluating compliance with the Annex A control objectives.
_EasiestSetup_EaseOfSetup.svg)
TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide Software-as-a-Service and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.
All data provided is for information only, based on internal estimates. This information is not indicative of KPIs, and is not given with any warranties or guarantees, expressly stated or implied in relation to accuracy and reliability.
{
"@context": "https://schema.org",
"@graph": [
{
"@type": "Organization",
"@id": "www.dataguard.com#organization",
"name": "DataGuard",
"legalName": "DataCo GmbH",
"description": "DataGuard, the European leader in security and compliance software, is trusted by more than 4,000 organizations across 50+ countries. We help you identify and manage your security and compliance risks and fast-track your certifications and compliance by combining expert consultancy with AI-powered automation. Our purpose-built, all-in-one platform is developed with the experience of over 1.5 million total hours by a team of certified security and compliance experts.",
"foundingDate": "2018",
"taxID": "DE315880213",
"logo": "https://7759810.fs1.hubspotusercontent-na1.net/hubfs/7759810/DataGuardLogo.svg",
"url": "www.dataguard.com",
"email": "info@dataguard.de",
"telephone": "+49 89 452459 900",
"address": {
"@type": "PostalAddress",
"streetAddress": "Sandstrasse 33",
"addressLocality": "Munich",
"addressRegion": "Bavaria",
"postalCode": "80335",
"addressCountry": "Germany"
},
"sameAs": [
"https://www.linkedin.com/company/dataguard1/",
"https://www.youtube.com/channel/UCEQzPZ6sCBCj9cAoBvaLL6w",
"https://x.com/i/flow/login?redirect_after_login=%2FDataGuard_dg"
]
}
]
}✅ Organization schema markup for "DataGuard" has been injected into the document head.