04) Is there a formal disciplinary process for employees who have intentionally breached information security policy?
HR Security Disciplinary Process
Written by Haydn Brooks
Created on March 18, 2019
Modified on August 28, 2019

Answer yes if your organisation has a formal disciplinary process that is followed if an employee is found to have intentionally breached information security policy. Please provide a document outlining the process (as a PDF file) as evidence (this may be covered by your organisation’s Disciplinary Policy).

It is important to have a formal disciplinary procedure documented in case any employee intentionally breaches any of your organisation’s policies and enforcement action has to be taken. Having this process documented ensures that the process is transparent and consistent.

Policies only hold weight if they are consistently and effectively enforced.

However, it is important to acknowledge whether a policy has been broken intentionally or by accident. If, for example, an employee had broken one of your information security policies because they were not aware of the rules contained within the policy it may be better to increase employee training and awareness efforts than to discipline the employee.

How to implement the control:
Disciplinary procedures can be subject to legal requirements that can vary between countries. Engaging a law firm to help your company build a disciplinary process is the best way to ensure a legal and high-quality process is embedded in your organisation. You can also build your own policy as long as it complies with the [Acas](https://www.acas.org.uk/index.aspx?articleid=2174 "ACAS") (Advisory, Conciliation and Arbitration Service) Code of Practice. The UK government has some good advice that covers the key steps within a disciplinary process, this can be found [here](https://www.gov.uk/disciplinary-procedures-and-action-at-work "UK Gov").

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.