Disciplinary process is one of those activities that you will often find the managers running away from. In a workplace setup, discipline management is a continuous process for addressing poor behavior and conformance with policies and procedures. The organizational disciplinary process’s objective should be to correct behaviour, instead of punishing or embarrassing an employee. Control A.7.2.3 of ISO 27001 requires organizations to document their disciplinary process for taking actions against employees involved in a breach. The control statement reads as follows:
“There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach.”
Need For Documenting Your Disciplinary Process
Having a documented process helps your organization in maintaining consistency. Your managers can refer to the documented information for their decision-making process, instead of taking arbitrary decisions. Ideally, your disciplinary process should be limited to verbal/written warnings, suspensions, and termination, if deemed appropriate. Without a process in place, managers may resort to changing work schedules, assigning unpleasant work, or denying leave request(s). For legal as well as practical reasons, these are not efficient solutions.
LIFARS cybersecurity and risk advisory consultants with proven experience provide the technical capability to develop advisories and mitigations on evolving cybersecurity threats.
Does Your Organization’s Culture Play A Role?
For employees who are part of different teams, managers are in an ideal position for building trust and giving regular guidance. Following organizational policies and procedures is the norm, not an exception. When an employee violates any of your information security policies and procedures, managers must communicate such issues to the employees directly. However, this is easier said than done.
Organizations need to foster a culture where open communication between managers and employees is possible. Without a doubt, a meeting for misconduct or information security violation will not be absolutely comfortable. However, with regular team meetings and one-on-one meetings, organizations can help remove communication barriers. Employees will be at ease while discussing why they did what they did. At times, this helps address the issues early, and organizations do not need to initiate their full-fledged disciplinary process.
As you saw earlier, Control A.7.2.3 also requires the communication of your disciplinary policy to employees. Whenever a new employee joins your team, this policy should be a part of the ongoing process. This way, they have a clear idea of what they can do and cannot do. Otherwise, employees can argue that you did not inform them about having such a policy in place with disciplinary proceedings. As a matter of standard practice, employers often ask their prospective employees to sign a declaration. This declaration states that the employee has read company policies and procedures and agrees to follow them throughout their employment and thereafter.
According to our experts, organizational culture contributes to the chances of potential information security violations by employees. It also plays a part in the number of disciplinary processes an organization undertakes in a year.
Implementing A Progressive Disciplinary Process
The best way to ensure employee conformance with organizational policies is to follow a progressive approach. For example, in minor violations cases, a manager can advise the employee on what they shall do to ensure that violations do not happen in the near future. On the other hand, serious violations leading to information security breaches may result in suspension or termination. Acknowledging that internal culture varies from one organization to another, there cannot be a one-size-fits-all approach. Accordingly, acceptable behavior in one corporate setup may not be tolerated at all in another. Regardless, good practices such as open communication, documented policies, and consistent decision making will always be helpful.
It is a common practice to incorporate information security violations in the existing disciplinary process. For comprehensive coverage, organizations often include all types of policy violations. However, the implementation guidance for Control A.7.2.3 limits the application to a defined incident of an information security breach. It specifies that
- Organizations should conduct prior verification that a breach has occurred.
- The disciplinary process should provide for fair treatment of employees suspected of being involved in a breach.
- The disciplinary process should recommend a graduated response. It should consider the nature and gravity of a breach, along with its impact. It should also define actions when a violation is a first-time or repeat offence.
- The disciplinary process should align with the organization’s training program, business contracts, applicable laws, and other relevant factors.
A comprehensive disciplinary process will help your organization in meeting its obligations under relevant standards and laws. It will act as consistent guidance for your managers for dealing with information security violations. While following the defined process is always a top priority, the implementation guidance recognizes that deliberate breachers invite immediate actions. On top of this, organizations can explain benefits or incentives for rewarding remarkable employee behavior concerning information security for a fully progressive approach.