Behavioural controls are measures that influence the actions and conduct of people to ensure they handle information securely. They are a core part of an organisation’s Information Security Management System (ISMS) because the human element is often a significant source of risk. Instead of focusing on technology or physical barriers, these controls aim to foster a security-conscious culture and manage the security responsibilities of individuals throughout their employment lifecycle.
Examples
- Information Security Awareness, Education, and Training: Regular training sessions to teach employees about security policies, common threats like phishing, and best practices for protecting data.
- Disciplinary Process: A clear and documented process for addressing security policy violations, ensuring that non-compliance is handled consistently and fairly.
- Terms and Conditions of Employment: Including information security responsibilities in employment contracts and job descriptions so employees are aware of their obligations from the beginning.
- Responsibilities After Termination: Defining and enforcing security responsibilities that continue after an employee leaves, such as the obligation to maintain confidentiality and the process for returning company assets.
ISO 27001 Context
Behavioural controls are a key component of the People controls domain (formerly Annex A.7) within ISO 27001, which is focused on human resources security. The standard requires that organisations implement these controls to ensure that all personnel, including employees, contractors, and third party users, are aware of and fulfil their information security responsibilities.
