richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-6.4-Disciplinary-process.md

2.4 KiB
Raw Blame History

6.4 Disciplinary process

| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |

|----------------------------|-----------------------------------------|---------------------------|-------------------------------|-----------------------------|

| #Preventive #Corrective | #Confidentiality #Integrity #Availability | #Protect #Respond | #Human_resource_security | #Governance_and_Ecosystem |

Control

A disciplinary process should be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.

Purpose

To ensure personnel and other relevant interested parties understand the consequences of information security policy violation, to deter and appropriately deal with personnel and other relevant interested parties who committed the violation.

Guidance

The disciplinary process should not be initiated without prior verification that an information security policy violation has occurred (see 5.28).

The formal disciplinary process should provide for a graduated response that takes into consideration factors such as:

a) the nature (who, what, when, how) and gravity of the breach and its consequences;

b) whether the offence was intentional (malicious) or unintentional (accidental);

c) whether or not this is a first or repeated offence;

d) whether or not the violator was properly trained.

The response should take into consideration relevant legal, statutory, regulatory contractual and business requirements as well as other factors as required. The disciplinary process should also be used as a deterrent to prevent personnel and other relevant interested parties from violating the information security policy, topic-specific policies and procedures for information security. Deliberate information security policy violations can require immediate actions.

Other information

Where possible, the identity of individuals subject to disciplinary action should be protected in line with applicable requirements.

When individuals demonstrate excellent behaviour with regard to information security, they can be rewarded to promote information security and encourage good behaviour.