A.6.4 — Disciplinary Process

A sales manager repeatedly ignores the clean-desk policy, leaves printed customer lists on a shared desk overnight and forwards confidential pricing data to a private email address. Colleagues report it informally, but nothing happens — because the organization has no defined process for handling security violations. A.6.4 requires exactly this process to exist, be documented and be communicated.

The control ensures that personnel understand the consequences of violating information-security policies and that the organization has a fair, graduated and legally compliant mechanism to address violations.

What does the standard require?

The core requirements center on four principles:

Formal process. The organization must have a documented disciplinary process specifically addressing information-security policy violations.
Graduated response. The process must account for the severity of the violation, whether it was intentional or accidental, whether it is a first or repeat offense, and whether the person had been adequately trained.
Fairness and legal compliance. The process must comply with applicable employment law and be applied consistently. Due process — investigation, hearing, documented decision — is essential.
Communication. All personnel must be informed about the existence and content of the disciplinary process. It should be referenced in employment contracts (A.6.2) and covered in awareness training (A.6.3).

In practice

Document the process. Write a short, clear procedure that defines: who can initiate proceedings, who investigates, what factors determine severity, what the escalation steps are and who makes the final decision. Include this in the HR Security Policy.

Integrate with the ISMS. The disciplinary process should reference the ISMS policy set so that it is clear which rules can trigger it. Every major policy (acceptable use, access control, incident management) should include a sentence pointing to the disciplinary process.

Train managers. Line managers are usually the first to observe or receive reports of violations. They need to know when to escalate, how to document an incident and what they should avoid doing (e.g. conducting their own investigation before involving HR).

Consider positive reinforcement. Alongside consequences for violations, reward visible good security behavior. Phishing-simulation champions, security-culture awards or gamification elements in awareness programs help build the culture that disciplinary measures alone cannot create.

Typical audit evidence

Auditors typically expect the following evidence for A.6.4:

Disciplinary procedure document — the formal process description (link to HR Security Policy in the Starter Kit)
Communication records — evidence the process was communicated (e.g. via training, intranet, policy acknowledgement)
Employment contract references — clauses referencing the disciplinary process
Case records (if applicable) — anonymized documentation of past proceedings, demonstrating the process works
Management review input — reports on the number and nature of violations, fed into the management review

KPI

Is a documented disciplinary process for IS violations in place and communicated?

This is a binary KPI: yes or no. For a first audit cycle, “documented and communicated” is sufficient. In subsequent cycles, auditors may look for evidence that the process has been applied at least once or tested through a tabletop exercise.

Supplementary KPIs:

% of employees who can correctly describe the consequence of a policy violation (measured via survey or awareness quiz)
Number of documented security-policy violations per quarter (trending — a sudden spike or complete absence both warrant investigation)
Average time from violation report to resolution

BSI IT-Grundschutz

A.6.4 maps to:

ISMS.1.A8 (Handling security incidents) — requires that the consequences of policy violations are defined and documented as part of incident management.
IND.1.A7 (Establishment of a permission concept) — in industrial environments, includes disciplinary measures for unauthorized access.

A.6.4 depends on and reinforces several other people controls:

A.6.2 — Terms and conditions of employment: The contract must reference the disciplinary process.
A.6.3 — Information security awareness, education and training: You can only enforce rules that people have been trained on.
A.6.5 — Responsibilities after termination: Post-employment violations (e.g. breach of NDA) need a clear enforcement path.
A.6.6 — Confidentiality or non-disclosure agreements: NDA breaches are a common trigger for the disciplinary process.

Sources

ISO/IEC 27001:2022 Annex A, Control A.6.4 — Disciplinary process
ISO/IEC 27002:2022 Section 6.4 — Implementation guidance for disciplinary process
BSI IT-Grundschutz, ISMS.1 — Security management

Frequently asked questions

Does A.6.4 mean we need to fire people for security violations?

The control requires a graduated process. Responses range from a verbal warning for a first minor offense to formal disciplinary action for repeated or deliberate violations. Termination is one possible outcome at the far end of the scale, depending on severity and local employment law.

Should the disciplinary process also cover positive behavior?

ISO 27002 explicitly suggests that recognizing good security behavior can be part of the approach. Incentives — public recognition, small rewards, gamification in awareness campaigns — reinforce the culture you want.

What if a contractor violates a security policy?

The disciplinary process in the narrow sense applies to employees. For contractors, the equivalent mechanism is the service agreement: contractual penalties, escalation to the supplier's management or termination of the contract.

Responsible	HR Manager
Accountable	HR Manager
Consulted	HR Manager, Information Security Officer / (C)ISO, Legal Counsel
Informed	All Employees, Department Head