top of page
Search
  • Writer's pictureMarc Borgers

A friendly and transparent disciplinary process


Information security management system, ISMS, ISO 27001, PDCA, consequences, ISO 27002, Annex, A.7.2.3, disciplinary process, information security officer, ISB, warning, termination, introduction, operation, corporate objectives, information security objectives, improvement process

ISO 27001 requires a disciplinary process in the Annex under A.7.2.3 and many companies find it difficult to formalize and document this. This process is often equated with the term warning and there are fears that addressing this issue will have negative effects on industrial peace.


There are more instruments than just warnings and termination.

Instead of endangering industrial peace, my experience as an information security officer (ISB) has shown me how important transparency is at this point for the successful introduction and operation of an information security management system (ISMS). Employees are aware that violations of regulations can have consequences. However, aversions often only arise when the consequences are incalculable . For this reason, these should be defined and communicated in advance:

Example

measure

level

An employee expresses incomprehension regarding the information security measure.

Informal conversation

CISO

Even after the informal conversation, the employee continues to question the measure.

Formal conversation

CISO

The employee ignores the measure and shows no understanding.

Clarifying conversation with minutes

CISO

The employee tells colleagues how to circumvent the measure.

Formal conversation

CISO & responsible supervisor

The employee threatens to circumvent important measures.

Clarifying conversation with minutes

CISO & responsible supervisor

The employee motivates colleagues to look for ways to circumvent measures.

Clarifying conversation with minutes

CISO & responsible department head

The employee provokes a minor incident.

Clarifying conversation with minutes and warning

CISO & Management

The employee commits information theft or sabotage, carries out an attack, publishes secret information, etc.

Termination

Management

Of course, the aim of the disciplinary process is not to silence employees. Constructive criticism from the workforce can and should be used to improve. Measures must always be appropriate and adequately support and protect the company's goals and information security goals. If the findings from the informal discussions suggest that this is not the case, a timely correction can be made through the continuous improvement process.

2 views

コメント


IMG_0667.png
bottom of page