Behavioural controls are measures that influence person conduct to ensure secure information handling within an organisation. The primary implementation requirement involves establishing security-conscious cultures through Annex A people controls, providing the business benefit of mitigating human-sourced risks like phishing and accidental data breaches effectively.
What are Behavioural controls?
Behavioural controls are measures that influence the actions and conduct of people to ensure they handle information securely. They are a core part of an organisation’s Information Security Management System (ISMS) because the human element is often a significant source of risk. Instead of focusing on technology or physical barriers, these controls aim to foster a security-conscious culture and manage the security responsibilities of individuals throughout their employment lifecycle.
Examples
- Information Security Awareness, Education, and Training: Regular training sessions to teach employees about security policies, common threats like phishing, and best practices for protecting data.
- Disciplinary Process: A clear and documented process for addressing security policy violations, ensuring that non-compliance is handled consistently and fairly.
- Terms and Conditions of Employment: Including information security responsibilities in employment contracts and job descriptions so employees are aware of their obligations from the beginning.
- Responsibilities After Termination: Defining and enforcing security responsibilities that continue after an employee leaves, such as the obligation to maintain confidentiality and the process for returning company assets.
ISO 27001 Context
Behavioural controls are a key component of the People controls domain (formerly Annex A.7) within ISO 27001, which is focused on human resources security. The standard requires that organisations implement these controls to ensure that all personnel, including employees, contractors, and third party users, are aware of and fulfil their information security responsibilities.
How to implement Behavioural controls
Implementing behavioural controls is a critical component of ISO 27001, focusing on the human element to mitigate risks such as insider threats, social engineering, and accidental data loss. As a Lead Auditor, I recommend this technical roadmap to ensure that your personnel actions align with the Information Security Management System (ISMS) and Annex A requirements.
1. Establish Governance and Policy Frameworks
1. Formalise the Acceptable Use Policy (AUP): Document the specific rules for how information assets and systems are used by personnel, resulting in a legally defensible set of expectations for employee behaviour.
2. Document the Disciplinary Process: Formalise the consequences for security policy violations, resulting in a clear deterrent and a mechanism for enforcing accountability across the organisation.
- Include “Rules of Engagement” (ROE) for privileged users.
- Ensure all policies are signed by staff during onboarding.
- Align the disciplinary process with local employment laws.
2. Personnel Security and Awareness
3. Provision Background Screening: Execute consistent vetting processes for all new hires and contractors based on their level of access, resulting in a reduced risk of malicious insider activity.
4. Deliver Targeted Security Awareness Training: Provision regular education sessions that cover phishing, social engineering, and password hygiene, resulting in a workforce that acts as a proactive security sensor.
- Update training content to reflect current ISO 27001 threats.
- Verify training completion via a centralised management system.
- Conduct simulated social engineering tests to measure behavioural shifts.
3. Access Guardrails and Identity Management
5. Provision Role-Based Access Control (RBAC): Implement least privilege access via your Identity and Access Management (IAM) platform, resulting in restricted user movement that prevents unauthorised behavioural deviations.
6. Enforce Multi-Factor Authentication (MFA): Mandate MFA for all external access and privileged system changes, resulting in a technical barrier that prevents credential misuse even when behavioural lapses occur.
- Link IAM roles directly to specific job descriptions.
- Audit access rights quarterly to prevent privilege creep.
- Automate the revocation of access for leavers or movers.
4. Physical and Environmental Controls
7. Enforce Clear Desk and Clear Screen Policies: Implement automated screen locks and physical storage requirements, resulting in the protection of sensitive information from unauthorised physical observation.
- Provision secure lockers for sensitive physical documents.
- Set idle-time screen lockouts to a maximum of five minutes.
- Conduct out-of-hours office inspections to verify compliance.
5. Monitoring, Reporting, and Improvement
8. Provision an Incident Reporting Channel: Establish a simple mechanism for staff to report suspicious activity, resulting in the rapid identification of potential security breaches or behavioural anomalies.
9. Audit User Activity and Behavioural Logs: Provision monitoring tools to analyse logs for “impossible travel” or anomalous data access, resulting in the detection of account compromises or insider threats.
10. Update the Asset Register with Ownership: Assign custodial responsibility for every asset, resulting in clear accountability for the behavioural security of organisational information.
- Analyse reporting trends to identify gaps in awareness.
- Review User Behaviour Analytics (UBA) as part of the risk review.
- Align findings with the continuous improvement requirements of Clause 10.
Behavioural controls FAQ
What are behavioural controls in the context of ISO 27001?
Behavioural controls are information security measures designed to influence and govern human actions to mitigate risks such as social engineering, insider threats, and accidental data loss. Since 82% of data breaches involve a human element, these controls are fundamental to a robust Information Security Management System (ISMS).
How do behavioural controls reduce organisational security risks?
Behavioural controls reduce risk by establishing a security-conscious culture, which can decrease human-error-related incidents by up to 70%. By implementing clear Acceptable Use Policies (Annex A 5.10) and mandatory background screening, organisations create technical and psychological guardrails that prevent unauthorised data access and strengthen operational resilience.
Which ISO 27001 Annex A controls focus on human behaviour?
The primary behavioural controls within ISO 27001 include:
- Annex A 5.2: Defining information security roles and responsibilities to ensure 100% staff accountability.
- Annex A 5.10: Establishing Rules of Engagement for the acceptable use of information and assets.
- Annex A 6.3: Providing mandatory information security awareness, education, and training.
- Annex A 6.4: Implementing a formal disciplinary process for security policy violations.
What is the role of a disciplinary process in behavioural security?
A formal disciplinary process (Annex A 6.4) serves as a vital deterrent against intentional policy violations and negligent behaviour. It ensures that 100% of security breaches involving personnel are handled consistently, reinforcing the organisation’s commitment to security and providing auditors with evidence of enforced governance within the ISMS.
How often should behavioural awareness training occur for compliance?
ISO 27001 requires training at least annually or upon significant organisational changes, though quarterly reinforcement is an industry best practice. Evidence suggests that continuous training programmes can reduce the probability of a successful phishing attack from 30% to less than 5% within a twelve-month implementation cycle.
The Tools We Use.
100% Audit Success. Zero AI Guesswork.
About the author
