Protecting sensitive information and data is more important than ever in today’s digital world. Technological and physical threats are always evolving - but people remain the biggest risk factor for all organisations. This is why ISO 27001, the international standard for information security management, includes a series of measures in Annex A that focuses on dealing with employees. 

In order to protect an organisation’s information, it is crucial to implement a comprehensive information security management system (ISMS). An ISMS consists of a series of measures that help to ensure the security of information. 

People controls are an important part of an ISMS. They focus on the human factor in information security. People controls are designed to ensure that employees have the right knowledge and skills to handle information securely. 

Why are people controls important?

People are often the weak link in information security. They can inadvertently disclose information or be targeted by phishing or social engineering attacks. Personnel-related controls help to minimise these risks by enabling employees to handle information securely.

ISO 27001 people controls: What are they?

Personnel-related controls are an essential part of a comprehensive information security strategy. The advantage of this area is that it comprises just eight measures that you can implement. We have compiled a list with a comprehensive overview of all personnel-related controls from Annex A of ISO 27001:

How are people controls implemented?

The implementation of people controls is a process that can be divided into several steps:

1. Planning: in this step, a plan for implementing the people controls is created.
   
   
2. Implementation: In this step, the people controls are realised.
   
   
3. Monitoring and improvement: In this step, the effectiveness of the people controls is monitored and improved if necessary.

Planning

The first step in the implementation of people controls is planning. In this step, a plan is created that includes the following aspects:

• Objectives: What are the objectives to be achieved by implementing the people controls?
  
  
• Scope: Which people controls shall be implemented?
  
  
• Responsibilities: Who is responsible for the implementation and operation of the people controls?
  
  
• Resources: What resources are required for the implementation of the people controls?

The planning should be closely coordinated with the other areas of the information security management system. In this way, the people-related controls can be seamlessly integrated into the ISMS and achieve the desired objectives.

Implementation

In this step, the people controls are implemented. This includes, among other things:

• Creation of policies and procedures: Policies and procedures define the requirements for the people controls.
  
  
• Training and sensitisation: Employees are trained and sensitised with regard to information security.
  
  
• Implementation of technical measures: Technical measures can support the effectiveness of the people controls.

The implementation of people-related controls should take place within a reasonable period of time. It is important to consider the impact of the new measures on employees and the organisation.

Monitoring and improvement

As all other controls, also the effectiveness of the people controls should be monitored regularly. The following measures, among others, can be taken for this purpose:

• Audits: Audits can check compliance with personnel-related controls.
  
  
• Feedback from employees: Employees can provide feedback on the personnel-related controls.
  
  
• Analysing security incidents: Analysing security incidents can provide information on potential weaknesses in personnel-related controls.

Monitoring and improving people controls will result in their optimisation. In this way, the organisation's information security can continuously be improved.

Additional tips for the implementation of people controls

• Involve employees: Employees should be involved in the planning and implementation of people controls from the outset. This enables them to identify with the new measures and accept them better.
  
  
• Communicate the people controls clearly and comprehensibly: Employees should understand why the people-related controls are important and how they can implement them.
  
  
• Provide training and awareness-raising: Training and awareness will help ensure that employees understand and comply with information security.
  
  
• Provide resources: Provide employees with the resources they need to implement and maintain personnel-related controls.

By implementing personnel-related controls, an organisation's information security can be improved. The personnel-related controls help to ensure that employees and others who have access to information systems and data have an appropriate understanding of information security and comply with it.

People controls to strengthen your information security

People controls are an important component of an ISMS. They help to influence the behaviour of employees with regard to information security and thus ensure the security of information.

Personnel-related measures provide companies with guidelines that influence the selection of employees, teach them in the handling of sensitive information and promote the secure handling of corresponding rules.

The current challenges of information security are taken into account in ISO 27001:2022 and opportunities are offered to establish an appropriate approach to modern conditions such as remote work and digital processes.

Find the right controls for your company and use our ISO 27001 checklist to find out which measures you need to implement to realise ISO 27001.