Auditing ISO 27001:2022 – People Controls (Clause 6)

Name: Auditing ISO 27001:2022 – People Controls (Clause 6)
Rating: 4.7 (11 reviews)

Screening, Awareness, Remote Working & Event Reporting | Audit Checklists, Real Cases & Risk-Based Techniques

Role Play

Created byDr. Amar Massoud

Last updated 6/2026

English

What you'll learn

Audit ISO 27001:2022 Clause 6 People Controls step by step.
Apply risk-based thinking to human-centric security audits.
Identify gaps in awareness, training, and role definition.
Use practical checklists to assess compliance and recommend fixes.

Course content

4 sections • 14 lectures • 1h 11m total length

Introduction7:17
Audit clause six of ISO 27001:2022 by examining people controls from pre-employment screening to offboarding, using interview techniques, checklists, and evidence such as onboarding and training logs.
Model Company InfoSure Ltd2:12
Apply a realistic model of Infoshare Limited to audit clause six people controls in iso 27001:2022, analyzing screening, background checks, training, access, and disciplinary processes through interviews and templates.

Competence and Awareness2:33
Assess and ensure competent, aware personnel under ISO 27001:2022 people controls, including screening, terms of employment, roles and responsibilities, awareness training, and fair disciplinary processes.
Control 6.1 – Screening2:12
Audit professionals explore ISO 27001 control 6.1 screening within a model company, evaluating background checks, security training, and HR records to identify red flags and non-conformities.
Auditing Control 6.1 – Screening at InfoSure Ltd
Control 6.2 – Terms and Conditions of Employment6:33
Apply control 6.2 by embedding information security obligations into employment terms for employees and contractors, covering confidentiality, acceptable use, data protection, and disciplinary consequences.
Auditing Control 6.2 at InfoSure Ltd.
Control 6.3 – Awareness, Education and Training5:27
Explore ISO 27001:2022 control 6.3 on awareness, education and training to reduce human error and ensure security responsibilities across onboarding, role-specific learning, and contractor inclusion.
Assignment – Auditing Control 6.3 at InfoSure Ltd.
Control 6.4 – Disciplinary Process5:32
Control 6.4 enforces a defined disciplinary process to address information security violations, detailing violation types, investigation steps, escalation, and consequences, with fair, documented enforcement across all staff and contractors.
Assignment – Auditing Control 6.4 at InfoSure Ltd.
Control 6.5 – Information Security Roles and Responsibilities5:47
Clearly define and assign information security responsibilities to employees, contractors, and third parties, embed them in job descriptions and procedures, and verify through audits to close non-technical and third-party gaps.
Auditing Control 6.5 at InfoSure Ltd.
Control 6.6 – Responsibilities after Termination or Change of Employ6:39
Implement control 6.6 of ISO/IEC 27001:2022 to revoke access, preserve the principle of least privilege, and reassign responsibilities during offboarding or role changes, guided by audit-ready exit management and de-provisioning.
Auditing Control 6.6 at InfoSure Ltd

Auditing Approaches and Techniques12:32
Master auditing approaches for ISO 27001:2022 clause 6 people controls, using planning, evidence collection, and interviews with risk-based thinking to prioritize findings and adapt to organizational context.
Control 6.7 – Remote Working5:48
Examines ISO 27001:2022 control 6.7 on remote working, detailing policies, procedures, encryption, and safeguards such as VPN, MFA, and MDM, plus user responsibilities and audit considerations in a hybrid environment.
Control 6.8 – Information Security Event Reporting5:33
Learn how ISO/IEC 27001:2022 mandates rapid reporting of information security events through multiple channels to enable early threat detection and timely response.
Auditing Control 6.8 at InfoSure Ltd.

Requirements

Basic understanding of ISO 27001 or general information security concepts is helpful but not required.

Description

Auditing people-related controls in ISO 27001:2022 is one of the most critical – and often underestimated – parts of an Information Security Management System (ISMS) audit. Clause 6 of Annex A focuses on People Controls, covering role definition, awareness, education, training, disciplinary processes, remote work, and incident reporting. These controls directly address human factors, which remain the leading cause of information security incidents.

In this course, you’ll learn how to audit Clause 6 controls step by step using a structured, practical approach. We’ll explore each control in depth, supported by detailed audit checklists, real-world scenarios, and application to our model company, InfoSure Ltd. You’ll learn how to evaluate both compliance and effectiveness, ensuring your audits don’t just tick boxes but drive genuine security improvements.

We’ll cover how to:

Audit role and responsibility definitions to ensure security tasks are clearly assigned and understood.
Assess the design and delivery of awareness and training programs, including role-specific and threat-specific content.
Review disciplinary processes for handling information security breaches fairly and consistently.
Evaluate remote working arrangements for compliance with security requirements.
Verify that information security incidents are reported promptly and handled according to policy.
Apply risk-based thinking to prioritize people control audits where they matter most.

You’ll also gain hands-on experience through assignments that simulate real audit scenarios. These exercises will challenge you to identify gaps, document findings, and recommend corrective actions.

By the end of this course, you will be able to:

Confidently audit all People Controls in Clause 6 of ISO 27001:2022.
Use professional checklists to capture evidence and assess compliance.
Apply risk-based auditing to focus on high-impact human factors.
Produce clear, actionable audit reports that support ISMS improvement.

Whether you’re an internal auditor, external auditor, compliance officer, or ISO 27001 implementer, this course will give you the tools, techniques, and confidence to audit People Controls effectively and add real value to your organization’s security posture.

Who this course is for:

Information security auditors, compliance officers, HR managers, and ISO 27001 implementers seeking to master auditing of people-related controls.

Auditing ISO 27001:2022 – People Controls (Clause 6)

What you'll learn

Explore related topics

Course content

Introduction2 lectures • 9min

Competence and Awareness7 lectures • 35min

Auditing Approaches and Techniques3 lectures • 24min

Conclusion3 lectures • 3min

Requirements

Description

Who this course is for: