ISO 27001 requires a disciplinary process in the Annex under A.7.2.3 and many companies find it difficult to formalize and document this. This process is often equated with the term warning and there are fears that addressing this issue will have negative effects on industrial peace.
There are more instruments than just warnings and termination.
Instead of endangering industrial peace, my experience as an information security officer (ISB) has shown me how important transparency is at this point for the successful introduction and operation of an information security management system (ISMS). Employees are aware that violations of regulations can have consequences. However, aversions often only arise when the consequences are incalculable . For this reason, these should be defined and communicated in advance:
Example | measure | level |
An employee expresses incomprehension regarding the information security measure. | Informal conversation | CISO |
Even after the informal conversation, the employee continues to question the measure. | Formal conversation | CISO |
The employee ignores the measure and shows no understanding. | Clarifying conversation with minutes | CISO |
The employee tells colleagues how to circumvent the measure. | Formal conversation | CISO & responsible supervisor |
The employee threatens to circumvent important measures. | Clarifying conversation with minutes | CISO & responsible supervisor |
The employee motivates colleagues to look for ways to circumvent measures. | Clarifying conversation with minutes | CISO & responsible department head |
The employee provokes a minor incident. | Clarifying conversation with minutes and warning | CISO & Management |
The employee commits information theft or sabotage, carries out an attack, publishes secret information, etc. | Termination | Management |
Of course, the aim of the disciplinary process is not to silence employees. Constructive criticism from the workforce can and should be used to improve. Measures must always be appropriate and adequately support and protect the company's goals and information security goals. If the findings from the informal discussions suggest that this is not the case, a timely correction can be made through the continuous improvement process.
コメント