ISO 27001 HR Security: What Annex A.6 Requires at Every Employment Stage

People are both the greatest asset and the most significant security risk in any organisation. ISO 27001 recognises this through Annex A.6, which covers six controls spanning the entire employee lifecycle — from the hiring process through to departure. These controls are regularly reviewed in Stage 2 audits. Auditors will ask for background check records, employment contract clauses, training completion records, and evidence that leavers had their access revoked promptly.

The Three Employment Phases

A.6.1 — Screening

Background verification checks on all candidates prior to employment. The depth of screening should be proportionate to the role. A system administrator with privileged access to production infrastructure warrants a more thorough check than a junior marketing hire.

Your screening process should be documented in your HR security policy. Evidence auditors look for: a record that screening was carried out for each employee (not necessarily the results — the fact that it was done), and a policy that defines what screening is required for each role category.

A.6.2 — Terms and Conditions of Employment

Employment contracts must include security responsibilities. At minimum, contracts should reference the employee's obligation to comply with the organisation's information security policies, handle data in accordance with data protection requirements, report security incidents, and return assets on termination.

A generic employment contract that says nothing about security is insufficient. A brief security addendum or a specific clause referencing the ISMS policy is the minimum required.

A.6.3 — Information Security Awareness, Education and Training

All staff must receive appropriate security awareness training. This is one of the most consistently reviewed controls in Stage 2. Auditors will ask: what training do you provide, how often, and can you show completion records?

Training does not need to be a formal e-learning course. A documented presentation, a policy acknowledgement with a quiz, or a guided walkthrough of key policies with sign-off is sufficient for most organisations. What is not sufficient: "we talk about security during onboarding" with no record of it.

A.6.4 — Disciplinary Process

A formal disciplinary process must exist for employees who violate information security policies. This does not mean you need a unique security-specific disciplinary process — most organisations reference their existing HR disciplinary framework and confirm it covers security policy violations. What auditors look for is that staff know there are consequences for violations, and that this is documented.

A.6.5 — Responsibilities After Termination or Change of Employment

Security responsibilities do not end when an employee walks out the door. Confidentiality obligations persist. Your off-boarding process must include: return of all assets (devices, access cards, documents), revocation of all access (see access control), and a reminder of ongoing confidentiality obligations — ideally evidenced by a signed off-boarding checklist.

A.6.7 — Remote Working

A dedicated control in the 2022 version of the standard. Your remote working policy must address the security measures required for staff working outside office premises. This includes acceptable device use, secure connectivity, screen privacy in public places, secure home network requirements, and incident reporting when working remotely.

If you want help implementing the HR security controls and producing the required records, our ISO 27001 consulting service covers Annex A.6 controls as part of a full ISMS build.