The statement is false. The ISO 27001 standard, specifically through its Annex A controls, mandates that an organization establish a formal disciplinary process for employees who commit information security breaches (Control A.7.3). However, the standard does not prescribe the specific steps or severity of this process. The actual response to an offense, such as internet abuse, is determined by the organization's own internal policies, local laws, and contractual agreements. An organization might choose to implement a strict policy with no warnings, but it is not a requirement of the standard. Therefore, it is incorrect to state that an employee will directly receive formal action without a warning, as this depends entirely on the specific organization's documented disciplinary procedure.

A. True: This is incorrect because ISO 27001 provides a framework, not a rigid set of rules for disciplinary action. The standard requires a process to be in place but allows organizations the flexibility to define the specific sanctions appropriate for their context and legal environment.

1. ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements.

Annex A, Control A.7.3 Disciplinary process: The control objective states, "To ensure that employees and contractors are aware of their information security responsibilities." The control itself requires: "There shall be a formal disciplinary process for employees who have committed an information security breach." This clause mandates the existence of a process but does not specify its content or actions.

2. ISO/IEC 27002:2013, Information technology — Security techniques — Code of practice for information security controls.

Section 7.3 Disciplinary process (Implementation guidance): This section provides guidance on implementing control A.7.3. It states, "The formal disciplinary process should ensure correct and fair treatment for employees who are suspected of committing breaches." This emphasis on "fair treatment" implies that a graduated response (e.g., a warning for a first or minor offense) is a valid and often necessary part of the process, contradicting the absolute statement in the question.

3. Humphreys, E. (2016). Implementing the ISO/IEC 27001:2013 ISMS Standard. Artech House.

Chapter 10, Human Resource Security: This text explains that while the standard requires a formal disciplinary process, "the process itself will be determined by the organization’s HR policies and procedures, and will need to take account of employment law." This confirms that the specific actions taken are organization-dependent and not dictated by the ISO standard itself.