Auditing people-related controls in ISO 27001:2022 is one of the most critical – and often underestimated – parts of an Information Security Management System (ISMS) audit. Clause 6 of Annex A focuses on People Controls, covering role definition, awareness, education, training, disciplinary processes, remote work, and incident reporting. These controls directly address human factors, which remain the leading cause of information security incidents.

In this course, you’ll learn how to audit Clause 6 controls step by step using a structured, practical approach. We’ll explore each control in depth, supported by detailed audit checklists, real-world scenarios, and application to our model company, InfoSure Ltd. You’ll learn how to evaluate both compliance and effectiveness, ensuring your audits don’t just tick boxes but drive genuine security improvements.

We’ll cover how to:

• Audit role and responsibility definitions to ensure security tasks are clearly assigned and understood.

• Assess the design and delivery of awareness and training programs, including role-specific and threat-specific content.

• Review disciplinary processes for handling information security breaches fairly and consistently.

• Evaluate remote working arrangements for compliance with security requirements.

• Verify that information security incidents are reported promptly and handled according to policy.

• Apply risk-based thinking to prioritize people control audits where they matter most.

You’ll also gain hands-on experience through assignments that simulate real audit scenarios. These exercises will challenge you to identify gaps, document findings, and recommend corrective actions.

By the end of this course, you will be able to:

• Confidently audit all People Controls in Clause 6 of ISO 27001:2022.

• Use professional checklists to capture evidence and assess compliance.

• Apply risk-based auditing to focus on high-impact human factors.

• Produce clear, actionable audit reports that support ISMS improvement.

Whether you’re an internal auditor, external auditor, compliance officer, or ISO 27001 implementer, this course will give you the tools, techniques, and confidence to audit People Controls effectively and add real value to your organization’s security posture.

Who this course is for:

• Information security auditors, compliance officers, HR managers, and ISO 27001 implementers seeking to master auditing of people-related controls.