What Is Control 6.4?
ISO 27002:2022, Control 6.4. Disciplinary Process talks about the need for organisations to put in place some form of disciplinary process to serve as a deterrent so that personnel will not commit information security violations.
This process should be formally communicated and a suitable penalty designed for employees and other relevant interested parties who commit an information security policy violation.
Information Security Violation Explained
Information security policy violation is a breach of the rules or laws governing the proper handling of information. Information security policies are established by organisations to protect confidential, proprietary and personal data, such as customer records and credit card numbers. Information security policies also include computer security policies that help ensure the safety and integrity of data stored on computers.
For example, if you don’t have permission from your supervisor to use company email to send personal emails, doing so may result in a violation of company policy. In addition, if you make a mistake while using company equipment or software and cause damage to it or the data stored on it, that could also be considered an information security policy violation.
If an employee violates an organisation’s information security policy, he or she could be subject to disciplinary action or termination from employment. In some cases, a company may choose not to terminate an employee who breaks its computer usage policy, but instead take other appropriate measures to prevent future violations of company policy.
Attributes Table
Controls can be grouped using attributes. When you look at the control’s attributes, you can more easily relate it to established industry requirements and terminology. The following attributes are in control 6.4.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality | #Protect | #Human Resource Security | #Governance and Ecosystem |
| #Corrective | #Integrity | #Respond | ||
| #Availability |
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
What Is the Purpose of Control 6.4?
The purpose of the disciplinary process is to ensure personnel and other relevant interested parties understand the consequences of an information security policy violation.
Apart from ensuring that employees and other relevant interested parties understand the consequences of information security policy violations, control 6.4 is designed to deter and help deal with those that violate these policies.
A key element of an effective information security programme is the ability to implement appropriate disciplinary actions for employees who violate information security policies and procedures. This way, employees are aware of the consequences of violating established policies and procedures, thus reducing the potential for intentional or accidental data breaches.
The following are examples of activities that may be included when implementing this control:
- Conduct periodic training sessions on policy changes;
- Design disciplinary actions for non-compliance with information security policies;
- Provide a copy of the organisation’s disciplinary procedures to each employee;
- Ensure that disciplinary procedures are followed consistently in similar situations.
The disciplinary actions spelled out in the framework/document should be taken promptly following an incident, to discourage others who may want to violate organisational policies.
What Is Involved and How to Meet the Requirements
To meet the requirements of control 6.4, disciplinary action must be taken when there is evidence of non-compliance with the policies, procedures, or regulations of the organisation. This includes non-compliance with legislation and regulations that apply to the organisation.
According to control 6.4, the formal disciplinary process should provide for a graduated response that takes into consideration the following factors:
- The nature (who, what, when, how), gravity, and consequences of the breach;
- Whether the offence was malicious (intentional) or unintentional (accidental);
- Whether this is the first or second offence;
- Whether or not the violator received adequate training.
The action should take into account all pertinent legal, legislative, regulatory, contractual, and corporate obligations, as well as any other pertinent circumstances.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Changes and Differences from ISO 27002:2013
If you are familiar with ISO 27002:2013, you will know that even though the control identity/ number has been changed, control 6.4 in ISO 27002:2022 is not exactly a new control. Rather, it is a modified version of control 7.2.3 in ISO 27002:2013.
That said, there are no significant differences between the two controls in both versions of ISO 27002. The little difference you will notice is that the control number has been changed from 7.23 to 6.4. Also, in the 2022 version of the standard, the attributes table and statement of purpose have been included. These two features are not in the 2013 version.
Aside from their different wording, these controls are basically identical in terms of their content and context. User-friendly terminology was used in ISO 27002:2022 to make sure that the standard’s users could better understand its content.
Who Is in Charge of This Process?
In most cases, the disciplinary process is handled by the department manager or human resources representative. It is not uncommon for the HR representative to delegate the responsibility of disciplinary action to someone else in the organisation, such as an information security specialist.
The main purpose of disciplinary action is to protect the organisation against any further violations by the employee. It also aims to prevent similar incidents from reoccurring by ensuring that all employees understand the significance of information security violations.
In order to make sure that disciplinary action is taken against an employee who has violated an organisation’s policies or procedures, it is important that there are clear guidelines for handling such situations. These guidelines should include specific instructions about how to conduct investigations and the actions that should be taken after investigations have been completed.
What Do These Changes Mean for You?
If you are wondering what these changes mean for you, here is a brief breakdown of the most important points:
- It is not a significant change, so you don’t need to re-certify.
- You can keep your existing certification until it expires (if it is still valid).
- There are no major changes in the content of ISO 27002.
- The focus is more on updating the standard to align with current best practices and standards.
The structure of the standard remains unchanged. Some controls have been amended, though, to clarify their meaning or improve consistency with other parts of the standard.
However, if you are intending on obtaining ISMS certification, you may need to examine your security procedures to verify they are in compliance with the revised standard.
To learn more about how the new ISO 27002 may affect your information security operations and ISO 27001 certification, please check out our free ISO 27002:2022 guide.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
New ISO 27002 Controls
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | NEW | Threat intelligence |
| 5.23 | NEW | Information security for use of cloud services |
| 5.30 | NEW | ICT readiness for business continuity |
| 7.4 | NEW | Physical security monitoring |
| 8.9 | NEW | Configuration management |
| 8.10 | NEW | Information deletion |
| 8.11 | NEW | Data masking |
| 8.12 | NEW | Data leakage prevention |
| 8.16 | NEW | Monitoring activities |
| 8.23 | NEW | Web filtering |
| 8.28 | NEW | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | NEW | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
How ISMS.Online Helps
ISMS.Online is the leading ISO 27002 management system software that supports compliance with ISO 27002, and helps companies to align their security policies and procedures with the standard.
The cloud-based platform provides a complete set of tools to assist organisations in setting up an information security management system (ISMS) according to ISO 27002.
These tools include:
- A library of templates for common corporate documents;
- A set of predefined policies and procedures;
- An audit tool to support internal audits;
- An interface for customising ISMS policies and procedures;
- An approval workflow for all changes made to policies and procedures;
- A checklist for making sure that your policies and information security processes follow the approved international standards.
ISMS.Online also allows users to:
- Manage all aspects of the ISMS life-cycle with ease.
- Get real-time insights into their security posture and compliance gaps.
- Integrate with other systems like HR, finance, and project management.
- Demonstrate compliance of their ISMS with ISO 27001 standards.
ISMS.Online also provides guidance on how to best implement your ISMS by providing tips on how to create policies and procedures related to aspects such as risk management, personnel security awareness training, and incident response planning.
Our platform has been designed from scratch with the help of information security experts from around the world, and we have developed it in a way that makes it easy for people without any technical knowledge about information security management systems (ISMS) to use it.
Want to see it in action?
Get in touch today to book a demo.
