All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI SCIM Integration
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base DORA Knowledge Base
Company Security and customers first
About News Partners Contact

Disciplinary process

Annex A control 6.4 of the 2022 version of the ISO 27001 standard can be mapped to ISO 27001:2013 Annex A 7.2.3

In an ideal world, companies would be able to avoid information security incidents at all times. But even the most security conscious organisation must prepare for the worst, and a key part of dealing with the fallout of a data breach is taking disciplinary action. This is the focus of control 6.4.

Establishing a disciplinary process is vital for deterring information security violations, outlining formal communication and penalties suitable for employees, stakeholders, or anyone who violates information security policy.

Understanding information security violations

When regulations concerning the proper handling of information are breached, this is considered an information security violation. Information security policies are there to protect confidential, personal, and propriety data, including customer data and financial records.

Infractions of information security policy can take many forms. One example may be sending personal communications from a company email without a supervisor’s permission, or damaging the firm’s equipment or software in a way that compromises the data it holds.

Breaking with the guidelines outlined in the organisation’s information security policy may result in disciplinary action. This may include dismissal, but is not limited to it.

Making use of control 6.4

Disciplinary process is there to ensure staff and stakeholders alike understand the outcomes of breaching information security policy. Designed to both deter and assist in the event of an information security violation, control 6.4 helps give clarity to instances of a breach.

Control 6.4 states that workers who violate information security regulations should be aware of the consequences of such actions, as they should be outlined within the information security policy. By ensuring personnel know what could happen if they breach information security standards, the likelihood of deliberate data leakage or carelessness is diminished.

Creating clear guidelines

Control 6.4 encourages organisations to offer clear guidance on the disciplinary processes involved in the aftermath of a data breach. Activities that could be put in place to enforce control 6.4 include:

  • Disciplinary measures for failure to adhere to information security policies
  • Supplying staff with a copy of the organisation’s disciplinary procedures
  • Undertaking regular training sessions to keep staff aware of policy changes
  • Ensuring disciplinary procedures are followed consistently across similar circumstances
  • Implementing disciplinary action swiftly in the event of an incident, to discourage further breaches

Meeting the requirements of control 6.4

When there is evidence that the organisation’s policies, procedures or regulations have not been adhered to, disciplinary action must be taken. This is how organisations can meet the requirements of control 6.4.

The control states that the formal disciplinary process should account for four key elements. These are:

  • The extent of the breach (meaning its nature, seriousness and consequence)
  • Whether the breach was accidental or deliberate
  • Whether the breach was an initial or repeat offence
  • Whether sufficient training in data protection was given prior to the breach

What’s changed since 2013?

ISO 27001:2022 Annex A control 6.4 replaces ISO 27001:2013 Annex A control 7.2.3, using more user-friendly language to ensure accessibility. Despite the variations in wording and the change in control number, all other content within the newer control remains much the same as its older counterpart.