Domain 6 is the smallest of the four Annex A domains — only 8 controls — but it addresses the attack surface that security tools cannot patch: human behavior. The vast majority of successful attacks involve a human vector at some point: a phishing email clicked, a credential reused, a departing employee who kept access they should not have, a contractor who handled data beyond what was agreed. People controls do not make humans infallible — they create the structures that reduce the security risks that humans naturally carry.
For Indonesian organizations, Domain 6 sits at the intersection of information security and employment law — an intersection that requires careful navigation. Screening practices must comply with Indonesian privacy law for applicant data. Disciplinary processes must comply with the Manpower Law. Post-departure obligations must be enforceable under Indonesian contract law. And the awareness training obligation under control 6.3 connects directly to UU PDP's requirement that organizations ensure their staff understand personal data protection obligations.
This article provides complete reference coverage of all 8 people controls, with three areas receiving deeper treatment: the onboarding security process (integrating controls 6.1, 6.2, and 6.3), the offboarding security process (integrating control 6.5 with the 4-hour access revocation SLA), and remote working security (control 6.7, particularly relevant for organizations with significant work-from-home populations in post-pandemic Indonesia).
The People Security Lifecycle
The 8 people controls map naturally to the employment lifecycle — from before someone joins to obligations that survive departure. Understanding this lifecycle mapping helps assign ownership (typically HR and ISMS Manager jointly) and sequence implementation:
PRE-EMPLOYMENT
6.1 — Screening
Background verification before access is granted
DURING EMPLOYMENT
6.2–6.5 — Terms, Awareness, Discipline, Remote
Obligations, training, conduct, and remote work security
Ongoing obligations that apply across the full employment lifecycle
Complete Control Reference: All 8 People Controls
The table below provides complete implementation reference for all 8 Domain 6 controls — including requirement summary, implementation guidance, common gap, evidence requirements, and Indonesian regulatory context:
Ref.
Control name
Requirement, implementation guidance & common gap
Evidence & reg. link
6.1
Screening
Requirement: Verify the backgrounds of all candidates for employment, prior to joining. Verification depth must be proportionate to the role's access to sensitive information, business criticality, and risk level.
Implementation: Define a screening policy specifying which checks are required for each role category. For high-risk roles (privileged access, financial data access): identity verification, criminal record check (SKCK in Indonesia), employment history verification, reference checks, and qualification verification. For standard roles: identity verification, reference checks minimum.
Common gap: Screening applied inconsistently — conducted for permanent staff but not contractors or temporary workers who may have equivalent or greater access.
Reg: Indonesian Manpower Law screening obligations; UU PDP Article 17 lawful basis for processing applicant personal data; financial sector fit-and-proper requirements (OJK)
6.2
Terms and conditions of employment
Requirement: Employment contracts and agreements must clearly state the employee's responsibilities for information security — what they are required to do, what they are prohibited from doing, and what happens if they do not comply.
Implementation: Review employment contracts and ensure they include: confidentiality obligations, IS policy compliance requirements, consequences for IS policy violation, obligations that survive employment (confidentiality post-departure), and reference to the full IS policy suite. For contractors: equivalent terms in service agreements or contractor agreements.
Common gap: Contractor agreements lack IS clauses. Existing staff contracts pre-date current IS policy — not updated when policies were revised.
Evidence: Employment contract template with IS clauses. Contractor agreement template with IS clauses. Signed contracts for all current in-scope staff and contractors.
Reg: Indonesian Manpower Law employment contract requirements; UU PDP — employee confidentiality obligations for personal data; POJK fit-and-proper requirements
6.3
Information security awareness, education and training
Requirement: All employees and relevant contractors must receive appropriate information security awareness education and training, updated regularly. Training must be relevant to their role.
Implementation: Deliver a tiered awareness program: all staff receive annual security awareness (IS policy, data classification, incident reporting, phishing recognition). Role-specific groups receive targeted training (developers: secure coding; finance: BEC recognition; HR: secure onboarding/offboarding). Maintain completion records. Measure effectiveness through behavioral metrics.
Common gap: Training delivered but not measured for effectiveness. Contractors excluded. New hires complete training after 60+ days rather than within 30.
Evidence: LMS completion records per staff member. Training content for each module. Phishing simulation results. Role-specific training records for targeted groups.
Reg: UU PDP awareness obligation for data processors; POJK staff training requirements for IT risk management
6.4
Disciplinary process
Requirement: A formal disciplinary process must exist for employees who have committed an information security breach. The process must be documented, communicated, and proportionate to the severity and nature of the violation.
Implementation: Define an information security disciplinary procedure. Categories of violation: minor (inadvertent breach, first offense), moderate (negligent breach, policy non-compliance), major (intentional breach, data theft, sabotage). Connect to HR disciplinary process. Ensure HR is briefed on IS policy obligations and can apply the procedure appropriately.
Common gap: Discipline procedure exists in HR policy but no specific IS provisions. Staff do not know that IS violations have formal consequences — procedure was never communicated.
Evidence: Disciplinary procedure document with IS-specific provisions. Evidence that staff have been informed of the disciplinary process (policy acknowledgment).
Reg: Indonesian Manpower Law disciplinary and termination requirements; UU ITE criminal provisions for unauthorized access (crossover for major violations)
6.5
Responsibilities after termination or change of employment
Requirement: Information security responsibilities and duties that remain valid after termination of employment must be defined, communicated, and enforced. This includes ongoing confidentiality obligations.
Implementation: Offboarding security checklist covering: (1) access revocation within 4 hours of departure confirmation across ALL systems, (2) asset return (devices, access cards, documents), (3) handover documentation, (4) acknowledgment of continuing confidentiality obligations, (5) final briefing on post-departure data restrictions. For role changes: access rights review and update immediately.
Common gap: 4-hour access revocation SLA exists in policy but not tracked operationally. Physical access cards not recovered. Accounts in cloud systems (SaaS) missed because only AD accounts were revoked.
Evidence: Offboarding checklist and completion records. Access revocation evidence (IAM export showing account disabled on departure date). Asset return records. Signed acknowledgment of continuing obligations.
Reg: Indonesian Manpower Law post-employment obligations; UU PDP continuing confidentiality of personal data; trade secret protections under Indonesian law
6.6
Confidentiality or non-disclosure agreements
Requirement: Requirements for confidentiality or non-disclosure agreements (NDAs) reflecting the organization's information protection needs must be identified, documented, reviewed, and signed by employees and third parties.
Implementation: Identify who requires NDAs: all permanent staff (embedded in employment contract), contractors and consultants (in service agreements), external parties with access to confidential information. Define the information categories covered. Ensure NDAs reference the organization's data classification scheme. Review NDAs when roles or access levels change significantly.
Common gap: NDAs exist for permanent staff in employment contracts but freelancers, contractors, and temporary staff do not have equivalent confidentiality commitments.
Evidence: NDA template(s). Signed NDA records for all in-scope staff and contractors. Evidence that NDAs are renewed/updated when roles change significantly.
Reg: Indonesian trade secret law (UU No. 30/2000); UU PDP confidentiality obligations; contractor confidentiality in POJK outsourcing requirements
6.7
Remote working
Requirement: Implement security measures for staff working remotely — outside the traditional office perimeter. Cover device security, network security, access controls, and the physical environment of the remote workspace.
Implementation: Develop a Remote Working Policy covering: approved devices (corporate-managed only or BYOD with MDM), network requirements (VPN mandatory for production access, no public WiFi without VPN), physical security at home (no family use, clean screen, secure storage of documents), screen lock requirements, and incident reporting when working remotely.
Common gap: Remote working is widespread but no formal policy exists. VPN is available but not mandatory. Staff use personal devices for production access without MDM. No physical security guidance for home offices.
Evidence: Remote Working Policy. Evidence of VPN deployment and usage. MDM enrollment records for remote devices. Staff acknowledgment of remote working policy.
Reg: UU PDP data protection applies regardless of work location; POJK IT risk management in distributed work environments; COVID-era regulatory guidance remains relevant
6.8
Information security event reporting
Requirement: All employees and contractors must be required to report information security events as quickly as possible through appropriate channels. Low-barrier, no-blame reporting is essential to ensure events reach the incident management process before they escalate.
Implementation: Define what counts as a reportable event (broader than most staff think: suspicious emails, lost devices, accidental data disclosure, unusual system behavior, suspected unauthorized access). Establish a simple reporting channel — helpdesk ticket, dedicated email, or mobile app. Train staff to report immediately, without fear of blame. Measure report rate as an ISMS KPI.
Common gap: Staff do not know what to report or who to tell. Fear of blame suppresses reporting — staff who click phishing links hide it rather than reporting. Report rate is near zero, which is the most dangerous signal.
Evidence: Incident reporting procedure. Reporting channel evidence (helpdesk system, email alias). Staff training records covering incident reporting. Incident log showing reports received (high report volume is a positive indicator, not a negative one).
Reg: UU PDP Article 46 — 14-day notification clock starts from discovery; early internal reporting maximizes time for regulatory notification preparation
The Onboarding Security Process
Effective people security begins before an employee starts work. The onboarding process is where controls 6.1 (screening), 6.2 (employment terms), and 6.3 (awareness) first intersect. The checklist below integrates all three controls into a sequenced onboarding process:
Pre-offer (6.1 Screening)
Identity verification completed (KTP, passport)
Criminal record check (SKCK) obtained and reviewed — for high-risk roles
Employment history verified — at least last 2 roles
References contacted and recorded
Qualification/certification verification for technical roles
Screening outcome documented and retained
Offer and contract (6.2, 6.6)
Employment contract includes IS clause: compliance obligation, consequences, confidentiality
NDA signed (if standalone rather than embedded in contract)
Staff informed of the IS Policy suite — provided copies or access links
Data classification policy briefed: what information they will handle and at what level
Day 1 onboarding (6.3, 6.7, 6.8)
LMS enrollment created — IS awareness training assigned with 30-day completion deadline
Reporting channel briefed: how to report a security incident, to whom, and on what timeframe
Remote working policy provided and acknowledged (if applicable)
Physical access card issued — documented in access register
System accounts created per access request form — matching role requirements only
First 30 days (6.3)
IS awareness training completed — LMS completion record retained
Policy acknowledgment signed for IS Policy current version
Line manager confirmed awareness obligations have been communicated
HR and IT coordination is the critical onboarding dependency: The most common onboarding security failure is not the screening or the contract — it is the timing of system access relative to the training obligation. Staff who receive system access before completing awareness training have access to systems they have not been briefed on how to use securely. The LMS enrollment and training completion should be a prerequisite — or at minimum a concurrent requirement — for full production system access provisioning. Build this gate into the HR onboarding workflow, not into a separate ISMS process.
The Offboarding Security Process
Control 6.5 requires that information security responsibilities and duties remaining valid after termination are communicated, enforced, and documented. In practice, this means a structured offboarding process that closes every access channel — not just Active Directory. The 4-hour access revocation SLA is not a suggestion; it is the standard that auditors test, and the standard that prevents insider data theft during the notice period:
On departure notification (Day 0)
IT Security / IT Manager notified immediately on departure confirmation
Departure date confirmed — access revocation countdown starts
High-risk roles (privileged access, financial system access): enhanced monitoring activated for notice period
Handover documentation requirements confirmed with line manager
Within 4 hours of departure (6.5 — SLA)
All system access revoked: Active Directory / IAM account disabled
Email account access revoked or redirected
VPN access revoked
Cloud application access revoked — check all SaaS applications (not just AD-federated ones)
Privileged accounts: immediately revoked on departure confirmation, not at end of notice period
Building access card deactivated
Final working day (6.5)
All corporate devices returned: laptop, mobile, tokens
Personal devices removed from MDM enrollment
Physical access cards, security tokens, keys returned
DLP scan of returned devices before wipe — check for unusual data transfers during notice period
Corporate documents and data transferred to designated successor — personal copies destroyed
Post-departure (6.5, 6.6)
Signed acknowledgment of continuing confidentiality obligations
NDA/confidentiality reminder letter sent on departure day
Offboarding checklist completed and retained as ISMS evidence
Access revocation confirmed — IAM export showing account disabled status and timestamp
Departing employee informed of their rights regarding their own personal data held by the organization (UU PDP)
The SaaS access gap in offboarding: The most common 6.5 failure is partial access revocation. Organizations that have mature AD-based offboarding still miss accounts in SaaS applications that authenticate independently (not SSO-federated with AD). A departing employee's accounts in Slack, GitHub, Jira, AWS console, Notion, Figma, Salesforce, and every other non-federated SaaS remain active until manually revoked. Maintain a complete SaaS access register linked to each user — offboarding must include every application in the register, not just AD-managed accounts. MDM unenrollment for personal devices is equally often forgotten.
Remote Working Security (6.7)
Remote working is now the standard operating model for many Indonesian knowledge workers, particularly in the technology and financial services sectors. Control 6.7 requires that the organization implements security measures for staff working remotely — but in many organizations, remote working grew so rapidly during 2020–2022 that security policies never caught up with the reality of how and where people work:
Area
Security requirement
Key risk if absent
Evidence
Device security
Corporate-managed devices only for access to in-scope systems. MDM enrollment mandatory. Full disk encryption enabled. Screen lock after ≤5 minutes inactivity. Remote wipe capability enabled.
Personal device used for production access without MDM. No encryption on remote work device. Sensitive data cached on unmanaged device.
VPN mandatory for all access to production systems and internal resources. No public WiFi for work activity without VPN. Home router security guidance provided (change default credentials, WPA2+ minimum).
Production system access over unsecured WiFi. VPN available but not enforced. Split tunneling allows data to bypass security controls.
VPN deployment evidence. Usage logs showing VPN active during remote access sessions. Remote working policy with network requirements.
Physical environment
No family member or guest access to work devices. Clear screen policy when others may observe screen. Secure storage of work documents at home. No work printing to non-secure home printers for confidential documents.
Family members use work devices. Confidential screen content visible to cohabitants. Printed confidential documents left unsecured in home.
Remote Working Policy with physical security requirements. Staff acknowledgment. Periodic remote work security self-assessment.
Incident reporting
Staff must report security incidents immediately even when working remotely. Lost/stolen devices must be reported within 1 hour of discovery. The 24/7 reporting channel must be accessible from outside the corporate network.
Lost device not reported promptly because staff unsure of reporting process from home. Reporting channel only accessible within corporate network.
Remote Working Policy with incident reporting requirements. Incident log entries from remote workers. Device loss/theft response procedure.
Data handling
Confidential and restricted data must be handled with the same controls at home as in the office — no download to unencrypted personal storage, no emailing sensitive data to personal accounts, no screenshots to personal devices.
Sensitive data downloaded to personal NAS or cloud drives. Emailed to personal accounts for 'convenience'. Photographed on personal phone.
DLP policy coverage for remote access. Monitoring of data transfer activity for privileged/sensitive data access. Remote working data handling procedure.
Indonesian remote working context in 2026: Following the normalization of hybrid work post-2022, most Indonesian technology and financial services organizations have significant populations of staff working from home, co-working spaces, and client sites. The BSSN 2025 cyberthreat report identified remote working environments — specifically home network security and the use of personal devices for work — as the most frequently exploited access vectors in Indonesian corporate attacks. The remote working security controls in this article are not theoretical best practices; they address the specific attack paths that are actively being exploited in the Indonesian market.
Information Security Awareness Program Design (6.3)
Control 6.3 requires awareness training — but the standard leaves the design entirely to the organization. The awareness program is one of the most auditable people controls because it produces the most tangible evidence (LMS records, phishing simulation results) and is directly tested through staff interviews. The tiered awareness program below organizes training by audience, ensuring that everyone receives appropriate security knowledge for their role:
Training tier
Audience
Content
Frequency
Evidence
Tier 1 — All Staff
100% of in-scope employees and contractors
IS Policy and your obligations under it
Data classification — what level your work involves and how to handle it
Phishing and social engineering recognition
How to report a security incident
Clean desk and device security
Remote working basics (if applicable)
Annual + new joiner (within 30 days)
LMS completion records. Policy acknowledgment. Phishing sim results.
Tier 2 — IT and Engineering
IT staff, developers, DevOps, system administrators
Secure coding principles and OWASP Top 10
Configuration management and hardening standards
Patch management obligations
Privileged access responsibilities and PAM
Incident response technical procedures
Secrets management and CI/CD security
Annual + on major tech stack change
Training certificates. SAST usage records. Secure coding standard acknowledgment.
Tier 3 — Finance and Procurement
Finance team, accounts payable, procurement staff
Business Email Compromise (BEC) recognition — specific scenarios
Payment authorization controls and verification procedures
Supplier onboarding security requirements
What to do if you receive a suspicious payment request
How to verify a change in supplier payment details
Annual + after any BEC incident in sector news
Training records. BEC simulation results for finance staff. Process records showing verification steps.
Tier 4 — HR
HR team responsible for onboarding and offboarding
Onboarding security checklist and LMS enrollment process
Offboarding security checklist and 4-hour access revocation SLA
Background screening requirements by role category
Employment contract IS clauses — what HR must ensure is signed
UU PDP obligations for applicant and employee personal data
Annual + on procedure change
HR onboarding/offboarding procedure records. Training attendance. Completed checklists.
Tier 5 — Risk Owners (Management)
Business managers designated as risk owners
How to read and interpret the risk register
Risk owner accountability — what you are accepting when you sign off
Residual risk acceptance: what it means and what to escalate
Annual risk review process and your role in it
Current top risks in your domain
Annual risk owner briefing
Briefing attendance records. Signed risk acceptance documents.
Bitlion awareness module integration: Bitlion's platform connects with major LMS providers and security awareness platforms (KnowBe4, Proofpoint Security Awareness, Cofense, and others) through its awareness management module. Training completion records are imported automatically into the ISMS evidence library and linked to each staff member's competence record. The platform tracks completion rates against the 30-day new hire target and the annual renewal deadline, generating alerts when completion falls below target. Phishing simulation results are imported from simulation platforms and tracked as KPIs in the ISMS dashboard.
Domain 6 Common Gaps: Summary
Contractors treated differently from employees
All 8 Domain 6 controls use language like 'all persons doing work under the organization's control' — which explicitly includes contractors, consultants, and temporary workers. The most common Domain 6 audit finding is that controls have been designed and implemented for permanent staff but do not cover contractors who may have equivalent or greater access to sensitive systems. The screening procedure, the employment terms, the awareness training, the NDA, the remote working policy, and the offboarding process must all apply to contractors — adapted for the contractor relationship model.
Event reporting culture suppressed by blame
Control 6.8 requires that events are reported — but cultural factors can make this requirement almost impossible to satisfy despite a technically compliant procedure. In Indonesian organizational culture, where hierarchy and face-preservation are significant social forces, staff are often reluctant to report security incidents because doing so means admitting to clicking a link, losing a device, or making a mistake. The awareness program must explicitly and repeatedly communicate that reporting is valued, not penalized. The most effective signal is management behavior: when a senior leader reports their own security error openly and without consequence, it demonstrates that the culture supports reporting.
4-hour SLA not tracked operationally
The 4-hour access revocation SLA appears in the access control policy and is frequently cited in offboarding procedures — but in many organizations, no one tracks whether it is actually met. The test is simple: for the last 5 departures, compare the departure confirmation time with the account disabled timestamp in the IAM system. If the data to answer this question cannot be retrieved, the SLA is not being tracked. Tracking access revocation SLA requires: a departure notification process that creates a timestamped record, an IAM export that shows account disable timestamps, and a periodic review that compares the two.