Buy Me a Coffee
Home
Created by Claudiu Tabac - © 2026
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Annex A People Controls (ISO-A-PEO)
The People Controls under ISO/IEC 27001 Annex A evaluate how human-related security risks are governed across the employment lifecycle. This domain focuses on whether people-employees, contractors, and third parties-are trusted, enabled, and held accountable in a way that supports enterprise security objectives.
Purpose of People Controls
Proportional Trust
Individuals are trusted based on role sensitivity and risk exposure, ensuring access aligns with verified credentials and responsibilities.
Clear Expectations
Security requirements are communicated explicitly and enforced consistently across all organizational levels and employment types.
Behavioral Alignment
Human actions support rather than undermine technical controls through continuous awareness and accountability mechanisms.
Lifecycle Governance
Security responsibilities persist throughout the entire engagement lifecycle-before, during, and after employment or contractor relationships.
People controls test a fundamental question: does security survive contact with real human behavior? Organizations with mature people controls recognize that technical safeguards alone cannot compensate for inadequate human risk governance. These controls establish the foundation for a security-aware culture where individuals understand their role in protecting enterprise assets and information.
Screening & Pre-Employment Assurance
Control Objective
This control area examines whether individuals are appropriately vetted before access is granted. Screening establishes initial trust levels and identifies potential risks that could compromise security objectives.
Effective screening is risk-proportionate, not uniformly applied. Roles with elevated privileges, access to sensitive data, or external-facing responsibilities demand more rigorous verification processes.
Key Aspects
  • Risk-Based Screening: Vetting intensity aligned with role sensitivity and potential impact of compromise
  • Identity Verification: Validation of credentials, employment history, and professional qualifications
  • Consistent Application: Standardized processes ensuring equitable treatment across similar risk profiles
  • Exception Governance: Documented approval and risk acceptance for deviations from screening standards

Enterprise Principle: Trust must be established before access is provided. Screening is not a compliance formality-it is a fundamental risk control that prevents inappropriate access from the outset.
Terms, Conditions & Responsibility
Contractual Obligations
Security responsibilities are formally embedded in employment agreements, contractor terms, and engagement letters. These obligations create enforceable commitments that extend beyond informal expectations.
Accountability Framework
Individuals acknowledge specific security duties, confidentiality requirements, and acceptable use policies. This acknowledgment establishes clear lines of responsibility that support governance and audit requirements.
Access Alignment
Contractual terms must align with actual system access, data exposure, and operational privileges. Discrepancies between formal agreements and real-world access create accountability gaps.
This control area evaluates whether security responsibilities are formally acknowledged and enforceable. Formal responsibility reinforces governance intent by ensuring that individuals cannot claim ignorance of security expectations. When terms and conditions explicitly address security obligations, organizations gain legal and operational leverage to address violations and enforce compliance.
Security Awareness, Education & Training
01
Role-Appropriate Content
Training programs are tailored to specific roles, responsibilities, and risk exposure rather than delivering generic content to all personnel.
02
Risk-Aligned Delivery
Topics and scenarios reflect actual threats and vulnerabilities relevant to the organization's operating environment and industry context.
03
Effectiveness Measurement
Organizations assess whether awareness translates to behavioral change through testing, simulations, and incident analysis.
04
Continuous Reinforcement
Security awareness is an ongoing program, not a one-time training event, with regular updates reflecting evolving threats and organizational changes.
This control area focuses on whether individuals are enabled to act securely. Knowledge without relevance does not change behavior—effective awareness programs connect security concepts to daily work activities and demonstrate practical application. Organizations must move beyond compliance-driven training checkboxes to create genuine security competency across the workforce.

Critical Insight: Awareness without relevance does not change behavior. Training effectiveness is measured by reduced security incidents and improved security hygiene, not completion rates.
Disciplinary Process & Enforcement
Enforcement Framework
This control area examines whether security expectations are consistently enforced through defined disciplinary processes. Without credible enforcement, security policies become suggestions rather than requirements.
Disciplinary processes must be proportional to the severity and intent of violations while maintaining consistency across organizational levels. Selective enforcement undermines control credibility and creates cultural perception that security is negotiable.
Defined Consequences
Clear disciplinary pathways for security policy violations with escalation procedures
Proportional Response
Penalties aligned with violation severity, intent, and organizational impact
Consistent Application
Enforcement applied equitably regardless of seniority, department, or relationship
Systemic Oversight
Governance of repeated violations and patterns indicating control failures
Enforcement credibility determines control effectiveness. Organizations that fail to address violations signal that security is not a genuine priority, encouraging further non-compliance and eroding security culture.
Responsibilities After Termination or Change
1
Immediate Revocation
Access rights are disabled promptly upon termination or role change, preventing unauthorized system entry during transition periods.
2
Asset Recovery
Physical and digital assets are returned or securely disposed of, including devices, credentials, and proprietary information.
3
Continuing Obligations
Confidentiality and non-disclosure commitments persist beyond employment, protecting sensitive information indefinitely.
4
Risk Monitoring
Post-employment activities are monitored for potential security implications, especially for high-privilege or sensitive roles.
This control area evaluates whether security obligations persist beyond active engagement. Residual trust must be actively removed, not assumed to expire. Many insider threats materialize during poorly managed termination processes or role transitions when access lingers after employment ends.
Effective termination controls recognize that former employees retain knowledge, relationships, and potentially access that could be exploited. Organizations must implement robust offboarding processes with verification mechanisms ensuring complete access revocation and asset recovery.
Relationship to the ECIL Capability Model
People Controls intersect strongly with multiple Security Capability Clusters (SCCs) in the ECIL. These controls are not isolated-they reinforce and enable capabilities across identity management, monitoring, governance, and third-party risk management.
SCC-01: Governance, Risk & Compliance
People controls establish accountability frameworks, policy enforcement mechanisms, and responsibility structures that operationalize governance objectives across the organization.
SCC-02: Identity & Access Management
Pre-employment screening and post-termination procedures directly support identity lifecycle management, ensuring access aligns with verified trust and current employment status.
SCC-05: Logging, Monitoring & Detection
Security awareness programs enable behavioral detection by helping personnel recognize and report suspicious activities, anomalies, and potential security incidents.
SCC-09: Third-Party Risk Management
People controls extend to contractors, suppliers, and business partners, ensuring consistent security expectations across all individuals with organizational access.
Evidence & Failure Perspectives
Evidence Perspective
Evidence supporting People Controls demonstrates active governance of human risk, not policy existence. Auditors and assessors evaluate whether organizations implement and maintain effective practices throughout the employment lifecycle.
Representative Evidence Includes:
  • Background screening records with risk-based justifications and approval workflows
  • Signed employment agreements, confidentiality commitments, and acceptable use acknowledgments
  • Training completion metrics, assessment results, and effectiveness measurements
  • Disciplinary records documenting security violations and enforcement actions
  • Termination checklists, access revocation logs, and asset return confirmations
Failure Perspective
Common failure patterns reveal where organizations treat people controls as administrative formalities rather than risk governance mechanisms. These failures often enable insider risk and persistent access abuse.
Typical Failure Modes:
  • Screening as Checkbox: Background checks conducted without risk assessment or consistent standards
  • Generic Awareness: Training programs disconnected from real organizational risks and threat landscape
  • Selective Enforcement: Inconsistent application of disciplinary measures based on seniority or relationships
  • Delayed Revocation: Access persisting days or weeks after termination due to process gaps
  • Missing Obligations: Contractual terms lacking specific security responsibilities and confidentiality requirements
How to Use This Page
This resource interprets ISO/IEC 27001 Annex A people-related controls through the ECIL, emphasizing risk governance over compliance formalism. Use this page to align HR, security, and management responsibilities while preparing for ISO audits without reducing people controls to administrative checklists.
1
Governance Interpretation
Apply risk-based thinking to people controls, evaluating whether practices effectively manage human-related security risks rather than simply documenting policies.
2
Cross-Functional Alignment
Bridge organizational silos by connecting HR processes, security requirements, and management accountability within a unified governance framework.
3
Audit Preparation
Prepare for ISO/IEC 27001 assessments by understanding what evidence demonstrates effective control implementation versus superficial compliance.
4
Leadership Communication
Explain human risk findings clearly to executive leadership using business language that connects security controls to organizational risk management.
Critical Question
Can the organization trust its people-by design, not by assumption?
People Controls answer this fundamental question by establishing structured governance mechanisms that verify, enable, and enforce security throughout the employment lifecycle.
Created by Claudiu Tabac — © 2026
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.