Disciplinary Process - ISO 27001 Annex A Control

ISO 27001 Annex A 6.4

If breaching the policy has no consequences, the policy is just paperwork.

ISO 27001 Annex A 6.4 - Disciplinary Process

The control closes the loop on policy enforcement. Setting policies and training people on them only goes so far if there is no consequence for breaching them. The disciplinary process establishes that information security is treated as seriously as other workplace obligations, and that deliberate or repeated breaches will be addressed through formal action.

The process should already exist as part of HR practice - the control does not require a separate information security disciplinary procedure, only that the existing process recognises information security breaches as a category of conduct that may trigger it. The wording typically appears in the staff handbook or the disciplinary policy itself, with information security obligations listed alongside other categories of misconduct.

Proportionality is built in. Genuine errors and minor breaches should typically be handled through coaching, additional training or informal action. Pattern non-compliance, gross misconduct or deliberate breaches escalate up the formal disciplinary route. The process needs to apply consistent treatment so similar circumstances lead to similar outcomes.

The disciplinary process tends to be one of the easier controls to evidence, because most organisations already have one. The audit question is whether information security breaches are explicitly within scope and whether the workforce knows that. If the staff handbook lists the categories of misconduct that may trigger formal action and information security breaches feature among them, the documentary side of the control is in place.

Where I do find issues is consistency of application. If a senior manager commits a breach and gets a quiet word, but a junior member of staff committing a similar breach gets a formal warning, that inconsistency is itself a finding. The audit will look at how breaches have been handled and whether the response has been proportionate and consistent.

Practical Compliance Guidance

The disciplinary arrangements for information security breaches are described in the IMS1 manual at section 8.5 alongside the People Security Policy. The staff handbook contains the substantive disciplinary process.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Do we need a separate disciplinary policy for information security?

No. The control requires that information security breaches are within the scope of the existing disciplinary process and that staff understand that. A standalone information security disciplinary policy is not needed - it is sufficient that the standard disciplinary process recognises information security breaches as a triggering category.

How are information security breaches identified?

Through the incident management process under A.5.24 to A.5.27, plus monitoring activities, audit findings and reports from staff or third parties. Where an incident investigation reveals individual misconduct, the matter is referred to HR through the agreed route to consider whether formal disciplinary action is appropriate.

Does the process apply to contractors?

The contractual relationship with contractors is different from employment, but the principle of consequences for breach should still apply. The procurement contract or agency agreement should set out the consequences of breach - typically termination of the engagement, removal from site, and possible cost recovery. The route is contractual rather than disciplinary, but the deterrent effect is similar.

UK Legislation

The disciplinary process must operate within UK employment law. Relevant references include:

Further Resources