ISO 27001 Annex People Control
Reading Time: 4 minutesISO 27001 Annex A 6.1 – Screening Requirements Background verification checks on all candidates to become personnel should be carried out prior to joining the organization and…
Background verification checks on all candidates to become personnel should be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
This control checks if new hires are trustworthy and fit for the job. It includes background reviews before starting and ongoing checks, balanced with laws and risks, to avoid hiring someone who might harm data security.
A company hiring a bookkeeper verifies their resume, references, and criminal record before offering the job, ensuring they can handle financial data safely.
Answer: Screening should be done before joining and periodically afterward, especially for critical roles.
Answer: References, resume accuracy, qualifications, identity, and possibly credit or criminal checks for sensitive positions.
Answer: Include screening requirements in contracts with suppliers.
The employment contractual agreements should state the personnel’s and the organization’s responsibilities for information security.
Job contracts should clearly list security duties for employees and the company. This ensures everyone knows what to do to keep information safe from day one.
A new employee’s contract includes rules like not sharing passwords and reporting lost devices, which they sign before starting.
Answer: Confidentiality agreements, legal responsibilities, asset handling, and actions for disregarding security requirements.
Answer: During the pre-employment process.
Answer: For a defined period, as stated in terms and conditions.
Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization’s information security policy, topic-specific policies and procedures, as relevant for their job function.
Everyone needs training on security rules to avoid mistakes. This includes regular sessions and updates so staff know how to protect data in their roles.
A shop runs monthly emails and quizzes on spotting phishing, helping staff avoid scams with customer emails.
Answer: Periodically, with initial training for new hires or role changes.
Answer: Management commitment, compliance needs, personal accountability, basic procedures, and contacts for advice.
Answer: Test knowledge at the end of activities.
A disciplinary process should be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.
Have a clear process for dealing with security rule breaks. It deters problems and handles them fairly, starting after confirming a violation.
If an employee shares a password, the company follows steps like a warning or training, based on how serious it is.
Answer: After verifying a violation has occurred.
Answer: Nature and gravity of the breach, if intentional, repeats, and training received.
Answer: To deter violations and deal with them appropriately.
Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties.
Even after leaving or changing roles, some security duties continue, like keeping secrets. Define these in contracts to protect company info.
A former manager’s contract says they can’t share client lists for a year after leaving.
Answer: Treat as termination of old role and start of new.
Answer: Identify and transfer to others.
Answer: Use the process when their contract or job ends or changes.
Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.
Use agreements to keep sensitive info private. Review them regularly and have everyone sign who needs access.
New hires sign an NDA promising not to share company recipes.
Answer: Definition of protected info, duration, actions on termination, responsibilities, ownership, permitted use, audit rights, reporting process, return terms, and non-compliance actions.
Answer: Periodically and when changes influence requirements.
Answer: Personnel and interested parties like suppliers.
Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.
For home or remote work, set rules to keep data safe, like secure connections and home setup checks.
A firm provides secure laptops and VPNs for staff working from home.
Answer: Physical security, rules for environment, communications, virtual desktops, unauthorized access threats, network use, security measures, equipment support, insurance, backup, audit, and revocation.
Answer: Suitable devices and furniture if privately-owned not allowed.
Answer: Provide hardware/software support and maintenance.
The organization should provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.
Make it easy for staff to report security issues quickly, like strange emails, to stop problems early.
Employees use a hotline to report a suspected hack.
Answer: To prevent or minimize incidents’ effects.
Answer: Clear procedures, multiple channels, anonymous options, and awareness of what to report.
Answer: Through training and non-punitive culture.
