ISO 27001 A.6.4: Disciplinary process
What This Control Requires
A disciplinary process shall be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.
In Plain Language
Security policies without consequences are just suggestions. This control is about having a clear, fair, communicated disciplinary process for when someone violates your information security policies. It acts as both a deterrent and a structured framework for handling non-compliance when it happens.
The process needs to be proportionate and consistent. A first-time accidental screen-lock violation does not warrant the same response as deliberately exfiltrating customer data. Define escalation levels based on severity, intent, whether it is a repeat offence, and the actual impact on the organisation.
Critically, people need to know the process exists before you can enforce it. Everyone should understand that there are real consequences for violating security policies and what those consequences look like. Cover this during onboarding and reinforce it in security awareness training.
How to Implement
Build a formal disciplinary procedure for information security violations. Work with HR and legal to make sure it aligns with employment law and fits within your existing disciplinary framework. This should integrate with your general disciplinary process, not replace it.
Define violation categories with corresponding actions. For example: accidental minor violations like forgetting to lock a screen get a verbal reminder and additional training. Repeated minor violations escalate to a formal written warning. Negligent handling of sensitive information may mean a final written warning with mandatory retraining. Deliberate violations such as unauthorised data access or sharing could warrant suspension or termination. Criminal activity like data theft or fraud should lead to termination and legal action.
Establish a fair investigation process. Before taking action, investigate to determine the facts, severity, intent, and any mitigating circumstances. Document the investigation. Give the individual a chance to provide their account. Respect privacy and employment rights throughout.
Communicate the process to everyone. Put it in the employee handbook, reference it in employment contracts and security policies, cover it in awareness training, and post it on the intranet. Be clear about what counts as a violation and what follows.
Apply the process consistently regardless of seniority. The moment a senior leader gets a pass that a junior employee would not, the entire process loses credibility. Keep records of all disciplinary actions including the violation, investigation, decision, and outcome. Review the process periodically to make sure it is still fit for purpose.
Evidence Your Auditor Will Request
- Documented disciplinary procedure for information security violations
- Evidence of communication to all personnel through handbooks, training, or policies
- Records of disciplinary actions taken for security violations with investigation documentation
- Integration of security disciplinary process with HR disciplinary framework
- Periodic review records of the disciplinary process
Common Mistakes
- No formal disciplinary process specifically addressing information security violations
- Process exists but has not been communicated to personnel
- Disciplinary actions are applied inconsistently across the organization
- Minor violations are ignored, leading to a culture where policies are not taken seriously
- No investigation process before disciplinary action is taken
Related Controls Across Frameworks
Frequently Asked Questions
Should we take disciplinary action for accidental policy violations?
How do we handle security violations by senior management?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment