Getting HR Ready for ISO 27001
Good auditors don't audit control lists — they audit the employee lifecycle. Here's how to prepare HR and IT together.
When companies prepare for an ISO 27001 certification audit, HR is often the last department to get attention. The thinking usually goes like this: the ISMS is an IT topic, the auditor will spend most of their time with the CISO and the infrastructure team, and HR just needs to show a few signed contracts and a training record.
Then the audit happens, and some of the most uncomfortable findings land squarely between HR and IT. An account that was still active three weeks after the employee left. A contractor who received domain admin rights on day one because “that’s what the last guy had.” A background check that was completed two months after the person already had access to production data.
None of these findings belong to HR alone. None of them belong to IT alone. And that is exactly the point of this article.
If you want to prepare your HR department for an ISO 27001 audit, working through the people controls of Annex A.6 is necessary, but it is not sufficient. The controls that actually break in practice sit at the interface between HR and IT, and a good auditor knows exactly where to look. So should you.
The comfortable illusion of A.6
Let’s start with what HR typically prepares for. Annex A of ISO/IEC 27001:2022 dedicates eight controls to people:
A.6.1 Screening
A.6.2 Terms and conditions of employment
A.6.3 Information security awareness, education and training
A.6.4 Disciplinary process
A.6.5 Responsibilities after termination or change of employment
A.6.6 Confidentiality or non-disclosure agreements
A.6.7 Remote working
A.6.8 Information security event reporting
Most audit preparation follows this list from top to bottom. HR pulls a sample employment contract, the NDA template, the training completion report, and the disciplinary policy. Everything gets filed neatly, and on paper the department looks ready.
The problem is that this list is a catalogue, not a process. Real employment doesn’t happen in numerical order. An employee is screened, hired, onboarded, equipped, trained, perhaps promoted, and eventually offboarded. Security either holds together across that entire journey or it doesn’t. And critically: at several points along that journey, HR hands the baton to IT.
If your preparation stops at the A.6 boundary, you are preparing for the audit you wish you were getting, not the one you will actually get. Experienced auditors don’t audit control lists. They audit the employee lifecycle. Your preparation should follow the same logic.
Phase 1: Before employment — the handoff nobody owns
The joining process is where the HR–IT interface first shows its cracks.
HR’s part is well established. A.6.1 requires background verification proportional to the role and the classification of information the person will access. A.6.2 and A.6.6 cover the legal safety nets: employment terms that reference security responsibilities, and confidentiality agreements that are actually signed before access is granted. Be prepared to show not just the templates, but evidence from a sample of recent hires — auditors sample, they don’t admire blank forms.
But here is the question that separates a prepared organization from an exposed one: once HR signs the paperwork, how does IT find out?
Paperwork doesn’t give anyone access to the network. Somewhere, a trigger has to fire. Maybe HR opens a ticket, maybe the HRIS pushes to the identity system, maybe someone sends an email. This is where controls from outside A.6 enter the picture:
A.5.16 Identity management — how is the digital identity created, and how quickly after (not before) the contractual prerequisites are met?
A.5.18 Access rights — who decides what the new hire can access? Is it role-based, or does the new marketing manager get “the same as Sandra” because that was fastest?
A.5.17 Authentication information — how does the initial password reach the employee? A post-it in the welcome package is evidence too, just not the kind you want.
An auditor will pick a recent hire and walk the trail: contract signed on which date, screening completed when, ticket to IT opened when, account created when, access approved by whom. If HR believes IT handles the timing and IT believes HR handles the approvals, the gap becomes visible within minutes.
Prepare for this by walking that exact trail yourself, together with IT, for two or three recent joiners. If the trail is clean, you have your evidence ready. If it isn’t, you’ve found your corrective action before the auditor did — which is precisely what internal preparation is for.
Phase 2: During employment — behavior, not binders
Once people are settled, the risk shifts from access to behavior, and the evidence auditors want shifts accordingly.
For A.6.3 awareness and training, completion rates alone are weak evidence. Everyone knows employees can click “Next” through a slide deck while eating lunch. Stronger evidence shows that training is role-appropriate (developers get secure coding content, HR gets content on handling personal data), that it recurs, and ideally that its effectiveness is measured — phishing simulation results, quiz scores, or awareness metrics reported to management.
A.6.7 remote working deserves particular attention, because hybrid work is now the default rather than the exception. The policy needs to exist, but more importantly, it needs to connect to technical reality. If the policy says “company data only on managed devices,” IT should be able to demonstrate the device management that enforces it. Again: a people control that only works if HR and IT tell the same story.
A.6.4 disciplinary process is the control most organizations hope will never be tested. The auditor doesn’t expect a wall of terminated employees. They expect a formal, communicated process that treats security violations consistently — and if an incident has occurred, evidence that the process was actually followed rather than resolved with a hallway conversation.
One practical note: A.6.8, event reporting, technically belongs to the people controls, but in an audit it lives more naturally alongside incident management. Prepare it there. What HR should be able to answer is simpler: do employees know how to report something suspicious, and is that channel covered in training?
Phase 3: After employment — where the clock is ticking
Offboarding is, in my experience, the phase where audits produce the most findings, and the reason is structural: joining a company is a celebrated, coordinated event. Leaving one is often an administrative afterthought.
HR’s formal duty under A.6.5 is to ensure departing employees are reminded that confidentiality obligations survive the employment relationship. That’s the easy part — an exit checklist and a standard letter cover it.
The hard part is speed, and the hard part belongs to the interface again:
A.5.16 / A.5.18 — how fast are accounts disabled and access rights revoked? Same day? The auditor will compare the termination date in the HR system with the deactivation timestamp in the directory. Any gap of days is a finding waiting to be written.
A.5.11 Return of assets — laptops, tokens, badges, keys. Assigned assets must be tracked, collected, and the collection documented. “We’re pretty sure we got the laptop back” is not a sentence you want spoken during an audit.
Special attention goes to the departures nobody plans for: immediate terminations, and the quieter case of internal role changes. An employee moving from finance to sales is an offboarding and onboarding in one — old access rights should be removed, not merely supplemented. Accumulated access from previous roles is one of the most common findings in mature organizations, precisely because no single termination event ever triggers a review.
Preparing the department: three things to do before the auditor arrives
If you take one thing from this article, let it be this: prepare HR and IT together, not in parallel.
First, walk the lifecycle end to end. Take one recent joiner, one current employee, and one recent leaver. Trace each through the full chain — screening, contract, identity creation, access assignment, training, and for the leaver, revocation and asset return. Every date, every approval, every handoff. This single exercise surfaces more audit-relevant gaps than any document review.
Second, agree on who owns each handoff. The audit findings that sting are rarely about missing policies. They are about the moment where HR assumed IT was informed and IT assumed HR would follow up. Write the handoffs down: who triggers account creation, who approves access, who confirms deactivation, and within what timeframe. If it’s documented and lived, it’s auditable.
Third, prepare people, not just papers. The auditor will interview HR staff, and the strongest impression a department can make is when the people in it can explain the process in their own words — not recite the policy, but describe what actually happens when someone joins or leaves. That confidence is only possible when the process genuinely works.
ISO 27001 puts people controls in their own neat category, and it’s tempting to prepare them in an equally neat silo. But security doesn’t respect org charts. The employee lifecycle runs straight through HR and IT, and your audit preparation should run the same route. Get the two departments in one room, walk the journey together, and the A.6 controls will largely take care of themselves.
Be the GRC practitioner AI can’t replace.
– Aron
Before you go: NIS2 is coming for your organization too.
If cross-functional security is the theme of this article, NIS2 is where it becomes law. The directive makes management personally accountable for cybersecurity — and that includes the people processes we just walked through.
On July 10, I’m running a live NIS2 Essentials Training with my partner TRECCERT. The session takes you from the directive’s scope and obligations to what implementation actually looks like in practice. You’ll leave knowing whether your organization is in scope, what the minimum measures require, and how to get ahead of enforcement instead of reacting to it.
Seats are limited to keep the session interactive.
→ Secure your spot in the NIS2 Essentials Training
Disclosure: This is an affiliate link. If you register through it, I receive a commission at no additional cost to you.



