ISO 27001 Disciplinary Process
The ISO 27001 disciplinary process is a structured procedure that employers use to address employee misconduct or performance issues. It typically involves a series of steps to investigate, document, and resolve the issue.
Table of contents
- ISO 27001 Disciplinary Process
- What is ISO 27001 Annex A 6.4?
- How to implement ISO 27001 Annex A 6.4
- Watch the ISO 27001 Annex A 6.4 Tutorial
- ISO 27001 Templates
- How to comply
- How to pass the audit of ISO 27001 Annex A 6.4
- What the auditor will check
- Common Mistakes
- ISO 27001 Annex A 6.4 FAQ
- Related ISO 27001 Controls
- Further Reading
- Matrix of ISO 27001 Controls and Attribute values
What is ISO 27001 Annex A 6.4?
ISO 27001 Annex A 6.4 Disciplinary Process is an ISO 27001 control that wants you to have a process to take action against people who violate your information security policy, topic specific policies and processes.
ISO 27001 Annex A 6.4 Purpose
The purpose of the ISO 27001 disciplinary process is to ensure that people understand what will happen, and the consequences, of a violation of information security policy. The intent is to deter people from not following and adhering to policies and appropriately deal with those that do.
ISO 27001 Annex A 6.4 Definition
ISO 27001 defines the ISO 27001 Annex A 6.4 disciplinary process as:
A disciplinary process should be formalised and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.
ISO 27001:2022 Annex A 6.4 Disciplinary Process
DO IT YOURSELF ISO 27001
STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS
How to implement ISO 27001 Annex A 6.4
General Guidance
You are going to
- engage with a HR professional
- implement a HR disciplinary process
- include information security violations in the disciplinary process
- communicate the disciplinary process to relevant and interested parties
- act on the process as required and maintain evidence
When to take disciplinary action
You are going to confirm and verify that an information security policy violation has actually occurred before you take any action.
What should the disciplinary action consider?
Under the guidance of a HR professional you are going to consider a reasoned and proportionate response that take into account all legal and regulatory requirements and obligations. Consider:
- The nature of the event
- The intent – was it intentional or unintentional
- The frequency – was it a first time or a repeat offence
- Was the person aware of what was required and can you prove that
- Was the person trained and can you prove that
Reward positive behaviour
It isn’t just a negative approach. It can be a great way to enhance the culture and adherence to policy by rewarding, in what ever form is appropriate to you, positive behviours in relation to information security. From monetary rewards to formal recognition in meetings to ‘information security star of the month’ are all examples of what we have seen work well.
What are the different types of disciplinary actions that can be taken?
The types of disciplinary actions that can be taken vary depending on the severity of the offense. Some common disciplinary actions include
- verbal warnings,
- written warnings
- suspension,
- and termination.
Who is responsible for administering the disciplinary process?
The disciplinary process is usually administered by the organisation’s human resources department. However, in some cases, the disciplinary process may be administered by the employee’s manager or supervisor.
What are the steps involved in the disciplinary process?
The steps involved in the disciplinary process vary depending on the organisation. However, some common steps include:
- Investigation of the incident
- Review of the employee’s file
- Meeting with the employee to discuss the incident
- Issuance of a written warning or other disciplinary action
- Follow-up to ensure that the employee has corrected the behaviour
What are the rights of the employee during the disciplinary process?
The employee has the right to:
- Be informed of the allegations against them
- Be present at any disciplinary meeting
- Respond to the allegations
- Be represented by a union representative or other advocate
- Appeal the disciplinary decision
What are the responsibilities of the employer during the disciplinary process?
The employer has the responsibility to:
- Investigate the incident thoroughly
- Review the employee’s file
- Meet with the employee to discuss the incident
- Issue a written warning or other disciplinary action that is fair and consistent with the organisation’s policies and procedures
- Follow up to ensure that the employee has corrected the behaviour
What are the consequences of not following the disciplinary process?
The consequences of not following the disciplinary process can vary depending on the organisation. However, some common consequences include:
- Increased employee turnover
- Decreased employee morale
- Decreased productivity
- Increased legal liability
What are the challenges of implementing a disciplinary process?
Some of the challenges of implementing a disciplinary process include:
- Dealing with employee emotions
- Avoiding bias
- Ensuring that the process is fair and consistent
- Documenting the process
Watch the ISO 27001 Annex A 6.4 Tutorial
Watch the ISO 27001 disciplinary process tutorial.
ISO 27001 Templates
Having a topic specific policy for information security awareness training template and an ISO 27001 communication plan template can really help if you don’t want the entire ISO 27001 toolkit.
How to comply
To comply with ISO 27001 Annex A 6.4 Disciplinary Process you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:
- Write, sign off, implement and communicate your topic specific policies for HR
- Write, sign off, implement and communicate your disciplinary procedures
- Implement your training and awareness that includes the consequences of violating policies and procedures
- Implement your communication plan to communicate to relevant and interested parties
- Ensure that the disciplinary process meets all laws as well as local laws and regulations
- Implement a process of internal audit that checks that the appropriate controls are in place and effective and where they are not follow the continual improvement process to address the risks
How to pass the audit of ISO 27001 Annex A 6.4
To pass an audit of ISO 27001 Annex A 6.4 you are going to make sure that you have followed the steps above in how to comply.
What the auditor will check
The audit is going to check a number of areas for compliance with Annex A 6.4 Disciplinary Process. Lets go through them
1. That you have a documented disciplinary process
The auditor will meet with the HR team and look for a documented disciplinary process that includes violations of information security policies and procedures.
2. That you have communicated the disciplinary process
The process needs to be communicate to relevant and interested parties. The audit will check that the training and awareness plan and the communication plan and look for past evidence that this has happened.
3. That people are aware of their responsibilities
The audit is going to check for documented processes, documented topic specific policy and these have been communicated and people have been trained on what is required of them.
Common Mistakes
In my experience, the top 3 mistakes people make for ISO 27001 Annex A 6.4 Disciplinary Process are
1. You have no evidence that anything actually happened
You need to keep records and minutes of everything. You need a paper trail to show it was done. Make sure you have updated communication plans and training plans on the disciplinary process. If it isn’t written down it didn’t happen.
2. One or more members of your team haven’t done what they should have done
Prior to the audit check that all members of the team have done what they should have. Do they know where the process documents are in relation to the disciplinary process? Do a pre audit as close to the audit as you can that checks the disciplinary process and the HR team that will be involved. Assuming they are doing the right thing is a recipe for disaster. Check!
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
ISO 27001 Annex A 6.4 FAQ
Other than your ISO 27001 certification requiring it, the following are the top 5 benefits of ISO 27001 Annex A 6.4 Disciplinary Process:
You cannot get ISO 27001 certification without it.
Improved security: You will have an effective information security implementation that is based on people who are trained and aware of the requirements for information security and have a mechanism to take action when people do not do as expected
Reduced risk: By having a process to take action you will have a deterrent in place that will reduce the risk of a breach of information security policy
Improved compliance: Many regulations and laws require a disciplinary process to be implemented
Reputation Protection: In the event of a breach having a disciplinary procedure in place will reduce the potential for fines and reduce the PR impact of an event
HR is responsible for the disciplinary process. Under the guidance of legal counsel they are best placed to follow best practice and meet the requirements of the law.
A disciplinary process is important because it helps to ensure that employees comply with the organisations policies and procedures. It also helps to create a fair and consistent workplace, and it can help to protect the organisation from legal liability.
Here are some of the benefits of having a disciplinary process in place:
Increased employee compliance with policies and procedures. A well-defined disciplinary process can help to ensure that employees are aware of the organisations expectations and that they are held accountable for their actions. This can help to prevent misconduct and to create a more productive and safe workplace.
Decreased employee turnover. Employees who feel that they are being treated fairly and consistently are less likely to leave their jobs. This can save the organisation money in recruiting and training costs.
Increased employee morale. A fair and consistent disciplinary process can help to create a positive work environment where employees feel valued and respected. This can lead to increased morale and productivity.
Decreased legal liability. By having a clear and well-defined disciplinary process in place, organisations can help to protect themselves from legal liability in the event of employee misconduct. This is because the organisation can demonstrate that it has taken steps to prevent and address misconduct.
Yes. You will need the help of a HR professional and a legal professional.
Related ISO 27001 Controls
ISO 27001 Clause 7.5.1 Documented Information
ISO 27001 Clause 7.4 Communication
ISO 27001 Annex A 5.1 Policies for Information Security
ISO 27001 Annex A 6.2 Terms and Conditions of Employment
Further Reading
The complete guide to ISO/IEC 27002:2022
Matrix of ISO 27001 Controls and Attribute values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| Preventive Corrective | Availability Confidentiality Integrity | Protect Respond | Human resource security | Governance and ecosystem |
About the author
Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.
Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.
As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.
His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.