Establish, implement, and maintain a personnel health and safety policy.

Establish/Maintain Documentation


This Control directly supports the implied Control(s):
  • Human Resources management, CC ID: 00763

This Control has the following implementation support Control(s):
  • Post evacuation plans and evacuation procedures throughout facilities., CC ID: 06073
  • Maintain a 1 to 2 day supply of water and nonperishable food at the facility in case public utilities are interrupted., CC ID: 06074
  • Install duress alarms in susceptible public areas., CC ID: 06075
  • Require regular vacations for personnel using restricted information or sensitive information., CC ID: 06550
  • Establish, implement, and maintain health and safety personnel disinfecting procedures., CC ID: 06802
  • Provide protective face masks for critical personnel, as necessary., CC ID: 06803
  • Establish, implement, and maintain food preparation procedures., CC ID: 06804
  • Establish, implement, and maintain food handling procedures., CC ID: 11765
  • Vaccinate critical employees, as necessary., CC ID: 06805
  • Protect personnel from work-related intimidation., CC ID: 07046
  • Establish, implement, and maintain a travel program for all personnel., CC ID: 10597


  • App 2-1 Item Number VI.4.1(1): The organization must ensure the work environment is managed properly by improving IT in accordance with healthcare considerations. App 2-1 Item Number VI.4.1(2): Personnel must receive regular medical examinations and counseling about their physical and mental health. (App 2-1 Item Number VI.4.1(1), App 2-1 Item Number VI.4.1(2), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • O86: The organization shall implement health care management for all employees. O86.1: The organization shall ensure all personnel involved in operating the computer systems have regular medical examinations, counseling, and other health care management measures depending on work content, work style… (O86, O86.1, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The organizational policy statement must ensure that the scope of the organizational resilience management system includes a commitment, as the first priority, to community and employee life safety. (§ 4.2.1(b), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Policies and procedures shall be established for maintaining a safe and secure working environment in offices, rooms, facilities and secure areas. (FS-01, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • The organization shall establish requirements for cleanliness, health, and clothing, if contact between the product or work environment and the personnel could adversely affect quality. (§ 6.4(a), ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • The organization shall monitor the operation of the system to verify it is operated in a way that is compliant with occupational safety and environmental protection regulations. (§, ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • Procedures should be implemented to ensure there is an appropriate level of health and safety protection for personnel at all recovery sites, including fire safety and building inspections. Service providers should consider using non noxious gases for fire detection and suppression systems. If this … (§ 6.4.16, § 6.10.7, § 6.12.5, § 6.13.1, § 6.13.2, § 6.13.5, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • When securing rooms, offices, and facilities, relevant health and safety regulations and standards should be taken into account. (§ 9.1.3, ISO 27002 Code of practice for information security management, 2005)
  • If contact between the personnel and the environment or product could adversely effect product quality, a medical device manufacturer shall establish and maintain health, personal practices, cleanliness, and clothing requirements. (§ 820.70(d), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • The physical protection of the cyber components and data associated with the ICS must be addressed as part of the overall security of a plant. Security at many ICS facilities is closely tied to plant safety. A primary goal is to keep people out of hazardous situations without preventing them from do… (§ 6.2.11 ICS-specific Recommendations and Guidance ¶ 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)