The basics
ISO 27001 control A.6.4 Disciplinary process requires companies to perform a formal disciplinary process against people who have performed a violation of information security rules, in order to establish whether such breach was intentional.
Documentation
ISO 27001 control A.6.4 Disciplinary process can be documented:
- for smaller and mid-sized companies by writing an Incident Management Procedure
- for larger companies by writing a Disciplinary Procedure
These documents are not mandatory, but recommended.
Implementation
In order to comply with control A.6.4 Disciplinary process you might implement the following:
- Technology — the technology to enable disciplinary processes may include forensic software to support the investigation of the most relevant incidents and hardware to securely store digital evidence. Small companies may use outsourced services when needed, while bigger companies may have a dedicated team and tools for such investigations.
- Organization/processes — you should set up a process for defining who must be involved in disciplinary processes, and the steps to be performed. You can document those processes through an Incident Management Procedure or a Disciplinary Procedure.
- People — make employees aware of why performing disciplinary processes is needed, and train required personnel on how to perform them.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.6.4 Disciplinary process: if disciplinary actions against those who have violated information security rules are performed.
If the auditor does not find such evidence, then he/she will have to raise a nonconformity.
