ISO 27001:2022 A 6.4 Disciplinary process

Disciplinary Process talks about the need for organisations to put in place some form of disciplinary process to serve as a deterrent so that personnel will not commit information security violations. Information security violation is a breach of the rules or laws governing the proper handling of information. Information security policies are established by organisations to protect confidential, proprietary and personal data, such as customer records and credit card numbers. Information security policies also include computer security policies that help ensure the safety and integrity of data stored on computers. Information security violations include but are not restricted to:

  • Browsing computer or paper records without appropriate authorization and a legitimate business reason
  • Information lost or compromised
  • Loss or theft of equipment containing organizational information
  • Repeated incidents of unattended or lost smart cards
  • Using unencrypted memory sticks
  • Using customer or employee personal data or information without appropriate authorization and a legitimate business reason
  • Disclosing customer or employee personal data or information without appropriate authorization and a legitimate business reason
  • Disclosing computer passwords
  • Sending the information insecurely outside the organization
  • Sending sensitive personal data or identifiable personal information to the wrong person or customer
  • Unauthorized disclosure of organizational information to third parties e.g. the press.

This Disciplinary process should be formally communicated and a suitable penalty designed for employees and other relevant interested parties who commit an violation. If an employee violates an organisation’s information security policy, he or she could be subject to disciplinary action or termination from employment. In some cases, a company may choose not to terminate an employee who breaks its computer usage policy, but instead take other appropriate measures to prevent future violations of company policy.

A 6.4 Disciplinary process


A disciplinary process should be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.


To ensure personnel and other relevant interested parties understand the consequences of information security policy violation, to deter and appropriately deal with personnel and other relevant interested parties who committed the violation.

ISO 27002 Implementation Guidance

The disciplinary process should not be initiated without prior verification that an information security policy violation has occurred .
The formal disciplinary process should provide for a graduated response that takes into consideration factors such as:
a) the nature (who, what, when, how) and gravity of the breach and its consequences;
b) whether the offence was intentional (malicious) or unintentional (accidental);
c) whether or not this is a first or repeated offence;
d) whether or not the violator was properly trained.
The response should take into consideration relevant legal, statutory, regulatory contractual and business requirements as well as other factors as required. The disciplinary process should also be used as a deterrent to prevent personnel and other relevant interested parties from violating the information security policy, topic-specific policies and procedures for information security. Deliberate information security policy violations can require immediate actions.

Other information

Where possible, the identity of individuals subject to disciplinary action should be protected in line with applicable requirements. When individuals demonstrate excellent behavior with regard to information security, they can be rewarded to promote information security and encourage good behavior.

There should be a formal disciplinary process for employees who have committed a security breach. A security breach happen where there has been a deliberate attempt, whether successful or not, to compromise organizational assets such as information, people, IT, premises, or any accident resulting in loss of assets. A formal disciplinary process must be established by the organization in relation to employees who have violated the organization’s security policies and procedures and, for retention of evidence. Disciplinary processes should aim to be a deterrent to employees who might otherwise be inclined to disregard security policies and procedures. Where appropriate, discipline should be in line with the relevant employment act conditions. For employees not covered under this, discipline should be in line with contract terms and conditions. Where it is formally stated that some activity is not allowed, but informally action is not generally taken against the activity (e.g. banning the distribution of jokes via e-mail), any subsequent disciplinary action that is taken in this regard may be subject to legal challenge and may, therefore, be unenforceable. Disciplinary action should accurately reflect the nature of the breach of policy. Minor infringements are to be expected and should be dealt with through cautions and user security awareness education. Repeated minor infringements may be symptomatic of an inappropriate policy or control, and should entail a re-assessment of its suitability. Repeated minor infringements not due to an inappropriate policy or control, or a major breach of security, maybe more suitably dealt with by formal sanctions such as termination of access (temporary or permanent) or legal action. The nature of appropriate disciplinary action should be determined by the workforce management function, in consultation with security officers and with legal officers if legal action is contemplated. Control includes:

  • a reasonable evidentiary standard to initiate investigations (reasonable suspicion that a breach has occurred);
  • appropriate investigatory processes, including specification of roles and responsibilities, standards for the collection of evidence and chain of custody of evidence;
  • disciplinary proceedings that observe reasonable requirements for due process and quality of evidence;
  • a reasonable evidentiary standard to determine fault, that ensures correct and fair treatment for persons suspected of a breach;
  • sanctions that appropriately take into consideration factors such as the nature and gravity of the breach, its impact on operations, whether it is a first or repeat offence, whether or not the violator was appropriately trained, whether or not the violator exercised due care or exhibited negligence;
  • an overall process that functions both as deterrent and sanction.

Leave a Reply