Cybercrime poses a serious threat to companies of all industries and sizes - this is widely known. The repertoire ranges from espionage to sabotage to blackmail. However, the danger does not only come from the Internet. Your own employees can also be a serious risk factor. Especially if your company has not taken appropriate measures - take a look at Annex A.7 of ISO 27001.
A well-structured information security management system (ISMS) in accordance with the ISO 27001 standard provides the basis for effectively implementing a holistic information security strategy. The systematic approach helps to protect confidential company data from loss and misuse and to reliably identify potential risks to the company, analyze them and make them controllable through appropriate measures. This involves much more than just the aspects of IT security. The implementation of the measures in Annex A of the standard is particularly valuable for practice.
ISO/IEC 27001:2013: Information technology — Security techniques — Information security management systems — Requirements
In addition to the management system-oriented requirements section (chapters 4 to 10), the 2017 version of the ISO standard's Annex A contains an extensive list of 35 measure targets (controls) with 114 concrete measures on a wide range of security aspects across 14 chapters.
Our audit guide ISO 27001 - Annex A was created by leading experts as a practical implementation aid and is ideally suited to better understand selected standard requirements. The guideline refers to ISO 27001:2013 and will soon be updated to the revised ISO 27001 that was published on 25 Oct, 2022.
Note: The statements referred to as "measures" in Annex A are actually individual targets (controls). They describe what a standard-compliant result of suitable (individual) measures should look like.
Companies should use these controls as a basis for their individual, more in-depth structuring of their information security policy. With regard to the topic of personnel, the measure objective "Personnel security" in Appendix A.7 is of particular interest.
"The measures do not rely on distrust of employees, but on clearly structured personnel processes."
Personnel processes ensure across all phases of employment that responsibilities and duties are assigned with regard to information security and that compliance is monitored. Violations of the information security policy - both intended and unintended - are thus not impossible, but they are made much more difficult. And if worst comes to worst, an effective ISMS provides the organization with appropriate mechanisms for dealing with the breach.
It is by no means a matter of mistrust if a company issues appropriate guidelines to make unauthorized access from the inside more difficult or, better still, to prevent it altogether. After all, one thing is clear: If an employee's termination is imminent or has already been announced, his or her dissatisfaction can lead to targeted data theft. This happens especially when the terminated employee believes he or she has proprietary rights to project data. Conversely, an application for a particular job may already be made with the intent to commit a criminal act.
Other scenarios indicate grossly negligent behavior or simply recklessness, which can have similarly serious consequences. It happens, for example, that entire IT departments do not adhere to their own rules - too cumbersome, too time-consuming. In the office, it's the careless handling of passwords or unprotected smartphones. But also careless connecting of USB sticks, open documents on the screen, secret documents in empty offices - the list of possible omissions is long.
Companies that have implemented an information security management system (ISMS) in accordance with the ISO 27001 standard are in a better position here. They know the requirements and the practice-relevant Annex A.7 of the internationally recognized standard. Because ISO 27001 has a lot to offer here: Although the reference measures refer directly to the standard requirements, they are always aimed at direct company practice.
Companies with an effective ISMS are familiar with the targets specified in A.7, which must be implemented with a view to personnel security for full compliance with the standard - across all phases of employment.
The organization must ensure that a new employee understands their future responsibilities and is suitable for their role before employing them - according to Annex A.7.1. In the requirements section (Chapter 7.2), the standard talks about "competence."
As a goal-oriented reference measure, applicants for a job first receive a security clearance that complies with ethical principles and applicable laws. This check must be appropriate in relation to business requirements, the classification of the information to be obtained and possible risks (A.7.1.1). In order to be able to achieve this, the following should, among other things, be in place, ensured or verified:
The next step is about employment and contractual terms. So, this reference measure in Annex A of ISO/IEC 27001 consists of the contractual agreement on what responsibilities employees have towards the company and vice versa (A.7.1.2). Successful implementation of this requirement includes, among other things, the fulfillment of these points:
Employees must be aware of their information security responsibilities. This is the goal of A.7.2, and more importantly, employees must live up to these responsibilities.
The first measure (A.7.2.1) is aimed at management's obligation to encourage its employees to implement information security in accordance with established policies and procedures. To this end, the following points must be regulated as a minimum:
In chapter 7.3 "Awareness", ISO 27001 requires that persons performing relevant activities are aware of the following
New employees in particular need regular information on the subject, e.g., by e-mail or via the intranet, in addition to the mandatory briefing on information security issues. Concrete training (especially on emergency plans and exercises), topic-specific workshops and awareness campaigns (e.g., via posters) strengthen awareness of the information security management system.
For example, reference measure A.7.2.1 in Annex A of ISO 27001 also serves to create appropriate awareness of information security. Organizations must train and educate their employees and, where appropriate, their contractors on professionally relevant topics. Corresponding policies and procedures must be updated regularly. The following aspects, among others, must be taken into account:
TIP: Ensure well-functioning communication with multiple channels for knowledge transfer. This is because the awareness of the ISMS and related aspects required by the standard is closely related to the transfer of knowledge.
Annex 7.2.3: This measure specifies the manner in which the organization will handle reprimands in the event of information security violations. The basis for this is a corrective action process. It shall be formally defined, established, and announced. The following must be ensured:
Annex A.7.3 of ISO 27001 specifies as a target an effective termination or change process to protect the interests of the organization. This objective focuses on the responsibilities for termination or change of employment. Accordingly, information security-related responsibilities and obligations that remain after termination or change of employment must be defined, communicated, and enforced. It makes sense to consider these aspects:
The threat from within is real - and most companies are aware of it. According to a security study (Balabit 2018), employees who have wide-ranging access rights are particularly vulnerable to attack. And with employees involved in 50 percent of all security breaches, 69 percent of responding IT professionals consider a breach of insider data to be the greatest risk. Yet little is being done about it. In practice, it is often difficult to make accusations against in-house staff. Especially in small and medium-sized enterprises (SMEs), where people know each other, a certain amount of trust is often placed in them - sometimes with unpleasant consequences. Well-structured information security management provides the basis for ensuring the security of information that requires protection.
Benefit from excellent audit questions and possible evidence on selected actions. The guideline is based on ISO/IEC 27001:2013.
It's much more than a checklist!
Created by our real-world experts.
In Annex A.7, ISO/IEC 27001:2013 provides reference measures for personnel security that must be implemented as part of the introduction of the standard. Companies should use these controls as a basis for their individual, more in-depth design of their information security policy. The measures do not rely on mistrust of employees, but on clearly structured personnel processes.
The ISO 27002 guideline defines a broad catalog of general security measures to support organizations in implementing the requirements from Annex A of ISO 27001. At the beginning of 2022, the guideline was comprehensively revised and updated. The new edition provides information security managers with a precise outlook on the changes to be expected with the revision of ISO 27001.
Certified companies value management systems as tools for top management that create transparency, reduce complexity and provide security. However, management systems do even more: Assessed and certified by a neutral and independent third party such as DQS , they create trust with interested parties in your company's performance.
Many organizations still experience certification as a compliance check. Our customers, on the other hand, see it as an opportunity to focus on success-critical factors and the results of their management system. Because our core competencies lie in the performance of certification audits and assessments. This makes us one of the leading providers worldwide with the claim to set new standards in reliability, quality and customer orientation at all times
How much work do you have to do to have your information security management system certified to ISO 27001? Find out free of charge and without obligation.
Please note: Our articles are written exclusively by our in-house management system experts and long-standing auditors. If you have any questions for our authors on information security (ISMS), please contact us. We look forward to talking with you.
Product manager at DQS for information security management. As a standards expert for the area of information security and IT security catalog (critical infrastructures), André Säckel is responsible for the following standards and industry-specific standards, among others: ISO 27001, ISIS12, ISO 20000-1, KRITIS and TISAX (information security in the automotive industry). He is also a member of the ISO/IEC JTC 1/SC 27/WG 1 working group as a national delegate of the German Institute for Standardization DIN.
