Publication Summary¶

Title	Employee Disciplinary Process
Author(s)	Alessandro Cardinali
Issued by	CEO
Version doc. Review freq.	0.9 Yearly
Date of issue	June 7, 2025
Owner	CEO/Founder
Document status	Draft – Final Draft - Final
Approval Date	n/a
Classification	Internal

Change Log

Version	Date	Author	Comments
0.1	June 7, 2025	Olaf Jacobson	First draft document

Table of Contents

Publication Summary 2

1 Introduction 4

1.1 Purpose of this document 4

1.2 Areas of the standard addressed 4

2 Employee disciplinary process 5

2.1 General principles 5

2.2 Process overview 5

2.3 Process steps 6

2.3.1 Information security breach 6

2.3.2 Investigation 6

2.3.3 Management assessment 7

2.3.4 No disciplinary action 7

2.3.5 Verbal warning 8

2.3.6 Written warning 8

2.3.7 Dismissal 8

2.3.8 Appeal 8

Introduction¶

This disciplinary process is intended for use if an information security breach has occurred. Before following this procedure, a full investigation should be carried out to establish the facts of the breach and to ensure that any disciplinary action is justified. This investigation must be documented.

It is intended that this process will ensure fair and proportionate treatment of employees and will consider the following factors:

The nature of the breach
The effect of the breach on the organization
The clarity of the procedures involved
The amount and quality of the training received by the employee
Whether the employee has committed a security breach before
Any relevant legal factors

This control applies to all employees of the organization, particularly those who will have access to Soon Technologies IT systems.

The following policies and procedures are relevant to this document:

Purpose of this document¶

This document sets out a process for disciplining employees in the event of a relevant breach of information security.

Areas of the standard addressed¶

The following areas of the ISO/IEC 27001 standard are addressed by this document:

A.6 People controls
A.6.4 Disciplinary process

¶

Employee disciplinary process¶

General principles¶

The following general principles apply to the disciplinary process set out in this document:

The disciplinary process will, where possible, be carried out by the immediate manager of the employee concerned
The process will allow for proportionate action depending on the severity of the information security breach
The process will allow for graduated action in the event of repeated breaches by the same individual
The process will be carried out in a timely manner in accordance with business needs
A fair hearing of both sides will be allowed and meetings will be held at times and in locations that do not unreasonably favour either party
The employee has the right to be represented or assisted by a third party, including a union representative where appropriate
The employee will have the right to appeal at each stage of the process
The details of the breach and the progress of the disciplinary process will be documented by the organization and will be regarded as confidential

Process overview¶

The diagram in Figure 1 shows an overview of the steps of the process.

Figure 1: Disciplinary process overview

Process steps¶

Information security breach¶

The process is initiated by the detection of an information security breach. This may be a relatively minor event such as the unauthorised use of someone else’s user account or something more major such as the deliberate theft of confidential information. The handling of the breach itself will be according to the procedures set out in the Information Security Incident Response Procedure.

Investigation¶

At an appropriate time after the information security breach has occurred, an investigation will be carried out by an appropriately trained and experienced person to establish:

The circumstances of the breach, including date, time, sequence of events, information and systems affected
The root cause of the breach
The immediate effect of the breach on the organization
Whether existing policies and procedures were followed
If not, then whether the breach would have been avoided if existing policies and procedures had been followed
The individuals involved

The results and conclusions of the investigation will be documented. The details of the investigation are outside the scope of this document.

Management assessment¶

If the investigation concludes that there may be a case for disciplinary action against one or more individuals, an assessment will be carried out by top management to decide next steps. The participants in this assessment should include:

The individual’s immediate manager
The head of the department in which the individual is employed
A representative from human resources
The information security manager
A representative from the legal department, if appropriate
The person primarily responsible for the investigation

The individual employee may be requested to participate in parts of the assessment if appropriate. Minutes of the assessment meeting(s) will be taken. In some circumstances it may be appropriate to suspend the employee whilst the management assessment is taking place.

The outcome of the management assessment will be a decision regarding which of the following actions to take:

No disciplinary action
Verbal warning
Written warning
Dismissal

The action should be communicated to the employee by the employee’s immediate manager if possible.

No disciplinary action¶

If the breach is not felt to be sufficiently serious to warrant disciplinary action, then other steps may be taken to prevent a recurrence such as informal advice, training, coaching and counselling. This may be done in conjunction with an informal verbal warning which will not be recorded on the employee’s file.

Verbal warning¶

If there is felt to be enough cause for formal disciplinary action but the circumstances are relatively minor and/or it is the first time it has happened, then a verbal warning may be given. A note of this warning will be placed on the employee’s file but will be disregarded after 12 months from the date of the warning.

The employee has the right to appeal against a verbal warning.

Written warning¶

For more serious breaches or repeated breaches for which a verbal warning has previously been issued, a written warning may be given. This will specify the reason for the warning, the improvement that is required and will specify a timeframe for that improvement. A review should be held at the end of that timeframe to assess whether the required improvement has happened. If it has not, then further disciplinary action such as a final written warning or dismissal may result.

The written warning will be placed on the employee’s file but will be disregarded after 2 years from the date of the warning.

The employee has the right to appeal against a written warning.

Dismissal¶

In the case of a serious single breach or repeated breaches for which warnings have previously been issued, it may be decided that dismissal is likely to be the most appropriate action. This may also be the case if it is judged that behaviour amounting to gross misconduct has occurred.

In these circumstances the case against the employee should be set out in writing and copies of any relevant evidence provided to the individual concerned. A formal hearing will then be held to give the employee an opportunity to respond.

After the hearing, the employee’s manager will inform the employee of the final decision which will also be provided in writing.

The employee has the right to appeal against dismissal.

Appeal¶

If the employee wishes to exercise a right to appeal this must be notified in writing to the immediate manager within two weeks of the disciplinary decision.

An appeal hearing will be held which will be chaired by a senior manager not previously involved in the disciplinary process. The result of the appeal will be communicated to the employee in writing. No further appeals will be permitted.