A.6.4 and A.6.5 — Disciplinary Process and Post-Employment

The Human Factor in Information Security: Why Controls A.6.4 and A.6.5 Matter

After fifteen years of conducting ISO 27001 audits, I can tell you that the most sophisticated cyberattacks often pale in comparison to the damage caused by a single disgruntled employee with legitimate access. Controls A.6.4 (Disciplinary Process) and A.6.5 (Responsibilities After Termination or Change of Employment) address this uncomfortable reality. These controls aren't just HR paperwork—they're critical security controls that protect against insider threats at their most vulnerable moments.

The statistics tell a sobering story. While organizations invest millions in firewalls and endpoint protection, the greatest threats often come from within. During my audits, I've seen data exfiltration occur during notice periods, credential sharing spike when employees feel undervalued, and systematic policy violations escalate unchecked because disciplinary processes were either nonexistent or inconsistently applied.

Controls A.6.4 and A.6.5 work together to create a comprehensive approach to personnel security incidents. A.6.4 establishes how organizations respond when employees violate information security policies, while A.6.5 ensures security responsibilities continue beyond employment. Get these wrong, and you're creating insider threat vectors that no technical control can mitigate.

Control A.6.4: Building an Effective Disciplinary Process

Control A.6.4 requires organizations to establish a formal disciplinary process for personnel who commit information security policy violations. The 2022 revision emphasizes that this process should be graduated, considering factors like intentionality, severity, and whether proper training was provided. This isn't about creating punishment—it's about establishing consistent, proportionate responses that actually improve security behavior.

The control directly connects to Control 5.3 (Roles and Responsibilities) and the awareness requirements in Clause 7.3. If people don't understand their security responsibilities or haven't received proper training, disciplinary action becomes legally and ethically problematic. I've audited organizations with elaborate disciplinary matrices, but when I asked for evidence of security awareness training, they showed me a single PowerPoint from three years ago. That's not a disciplinary process—that's setting people up to fail.

Essential Elements of an Effective Disciplinary Process

Based on countless audit observations, an effective information security disciplinary process must include:

• Clear violation categories with defined severity levels — Accidentally forwarding an email to the wrong recipient requires a different response than intentionally exfiltrating customer data. Your process must distinguish between these scenarios.
• Graduated response framework — First-time minor violations might warrant coaching or refresher training. Repeated violations or severe incidents justify progressively stronger actions, up to and including termination.
• Investigation procedures — How do you verify that a violation actually occurred? Who conducts investigations? What evidence standards apply? I've seen too many "disciplinary actions" based on incomplete information or misunderstandings.
• Documentation requirements — Every disciplinary action needs a clear paper trail that includes the violation, investigation findings, action taken, and rationale. This protects both the organization and the individual.
• Appeal mechanisms — Employees must have recourse if they believe disciplinary action was inappropriate or based on incorrect information.
• Integration with existing HR frameworks — Security disciplinary processes cannot operate in isolation from broader employment policies and legal requirements.

The 2022 revision specifically mentions that responses should consider whether violations were intentional or accidental, and whether proper training was provided. This reflects a maturation in thinking about security incidents—not everything is malicious, and training gaps often masquerade as policy violations.

The Consistency Challenge

Here's where most organizations fail: consistent application across all personnel levels. During one memorable audit, I reviewed seventeen security policy violations over eighteen months. The pattern was disturbing—senior staff received verbal counseling for the same violations that resulted in written warnings for junior employees. When I raised this with the CISO, they admitted they hadn't realized the pattern existed.

Consistency isn't just about fairness—it's about maintaining the credibility of your entire security program. If employees perceive that rules don't apply equally, they'll lose confidence in the entire system. Your disciplinary process must work the same way for everyone, from the CEO to summer interns.

Practical Tip: Establish a review committee for all security disciplinary actions. Include HR, security leadership, and a manager from an unrelated department. This helps ensure consistency and provides checks against potential bias.

Control A.6.5: Managing Post-Employment Security Responsibilities

Control A.6.5 addresses what happens to information security responsibilities when employment relationships change or end. The control recognizes that security obligations often extend beyond the last day of employment—confidentiality agreements, intellectual property protections, and return of assets all continue post-termination.

This control cross-references with Control 6.6 (Confidentiality Agreements) and connects to broader asset management controls in Section 5. It's not just about retrieving laptops and badges—it's ensuring that former employees understand their ongoing security obligations and cannot use their inside knowledge to harm the organization.

Critical Components of Post-Employment Security

An effective post-employment security process addresses several key areas:

• Asset return procedures — Physical devices, access cards, documentation, and intellectual property must be systematically retrieved. This includes personal devices that accessed company systems.
• Access revocation timing — When exactly are accounts disabled? Immediately upon notification of resignation? On the last working day? The timing matters, especially for privileged access.
• Ongoing confidentiality obligations — What information remains confidential after employment ends? For how long? How do you ensure departing employees understand these continuing obligations?
• Knowledge transfer security — How do you transfer critical knowledge without compromising security? This is particularly challenging when security-critical personnel leave.
• Monitoring post-departure activity — Do you monitor for unusual access attempts using former employee credentials? What about contacts with current employees that might indicate attempted information gathering?

The control also applies to contractors and temporary personnel, which many organizations overlook. When a contractor's engagement ends, the same security considerations apply—they may have had access to sensitive information and systems that requires protection.

The Resignation Risk Period

One of the highest-risk periods for any organization is between resignation notification and an employee's final day. During this period, motivation may be low, loyalty questionable, and access still active. I've seen organizations handle this period brilliantly and disastrously, often within the same company for different departures.

During one audit, I reviewed the departure process for a system administrator who had resigned. The organization immediately revoked his privileged access but allowed him to work his full notice period with standard user access. They assigned a colleague to shadow him during knowledge transfer sessions and monitored all his system activity. When he left, they conducted a thorough review of his recent activities and found no concerning behavior. This is how it should work.

Contrast this with another organization where a financial analyst downloaded customer records to a USB drive during her notice period. The organization only discovered this months later during a routine audit. They had no monitoring in place for departing employees and no process for reviewing activities during notice periods.

What Auditors Look For: Evidence Requirements

When I audit these controls, I look for specific evidence that demonstrates effective implementation:

For Control A.6.4 (Disciplinary Process):

• Documented disciplinary procedures that specify violation categories and response frameworks
• Evidence of consistent application across personnel levels and departments
• Training records showing that employees understand security policies before disciplinary actions
• Investigation procedures and documentation standards
• Records of actual disciplinary actions (anonymized) showing the process in action
• Integration with HR policies and legal compliance requirements

For Control A.6.5 (Post-Employment Responsibilities):

• Documented departure procedures covering asset return and access revocation
• Evidence of systematic implementation for recent departures
• Ongoing confidentiality agreements and communication of post-employment obligations
• Knowledge transfer procedures that maintain security
• Monitoring processes for the resignation risk period
• Application to contractors and temporary personnel

I also test the effectiveness of these processes. During one audit, I asked to see evidence of how the organization handled a recent departure of a database administrator. They produced excellent documentation showing immediate access revocation, systematic knowledge transfer, and ongoing monitoring for unusual activity. That's evidence of a control operating effectively.

Integration with Related Standards and Controls

These controls don't operate in isolation. They integrate closely with other parts of your ISMS and related standards:

Within ISO 27001: Controls A.6.4 and A.6.5 connect to supplier relationship controls (A.15) when dealing with contracted personnel, access management controls (A.9), and information classification (A.8.2).

ISO 27036 (Supplier Relationships): When contractors or suppliers provide personnel, similar disciplinary and departure processes should apply, often managed through contractual requirements.

ISO 27018 (Cloud Privacy): For cloud service providers, these controls become critical for protecting personal information when personnel with access to personal data leave or violate policies.

Implementation Insight: Don't reinvent the wheel. Most organizations already have disciplinary and departure procedures. The key is ensuring these existing processes adequately address information security considerations and are consistently applied.

Common Implementation Mistakes

After years of auditing these controls, certain mistakes appear repeatedly:

Treating these as pure HR matters: While HR typically manages the processes, information security must be actively involved in design and implementation. The CISO or security manager should review all security-related disciplinary actions and departure procedures.

Inconsistent application: The biggest credibility killer is applying different standards to different personnel levels. Document your criteria clearly and apply them consistently.

Focusing only on technical access: Yes, disable accounts promptly. But also consider physical access, ongoing confidentiality obligations, and knowledge that could be misused.

Ignoring contractors and temporary personnel: These individuals often have the same access as employees but may not be covered by your standard procedures.

No monitoring during notice periods: The period between resignation and departure is high-risk. Some level of additional monitoring is prudent, especially for privileged users.

Moving Forward: Implementation Recommendations

For organizations implementing or improving these controls:

1. Start with your existing processes — Don't create parallel systems. Enhance your current disciplinary and departure procedures to address information security adequately.
2. Ensure security involvement — Security leadership should review and approve procedures, even if HR manages day-to-day implementation.
3. Test your processes — Conduct tabletop exercises for different departure scenarios. What happens if your system administrator gives two weeks' notice? What about immediate termination for cause?
4. Document everything — Clear procedures, consistent application, and thorough documentation protect both the organization and individuals involved.
5. Regular review and improvement — These processes should be reviewed regularly and updated based on lessons learned and changing business needs.

Remember, these controls are about managing human risk during vulnerable periods. They're not just compliance checkboxes—they're practical measures that protect your organization when traditional technical controls may not be sufficient.

For more detailed guidance on implementing these and other personnel security controls, consider connecting with experienced practitioners through the IX ISO 27001 Info Hub or consulting with specialists who can provide organization-specific implementation advice.

Need personalized guidance? Reach our team at ix@isegrim-x.com.

Related Articles

• A.6.1 through A.6.3 — Screening Employment Terms and Awareness
• A.6.6 and A.6.7 — NDAs and Remote Working Security
• A.6.8 Information Security Event Reporting — Building a Culture That Reports
• Annex A.5.1 through A.5.4 — Information Security Policies and Roles
• A.7.1 through A.7.4 — Physical Perimeters Entry and Securing Facilities