ISO 27001 Annex: A.7 Human Resource Security
A.7.1 Before Employment
ISO 27001 Annex: A.7 Human Resource Security – The goal of this program is to ensure that both employees and vendors know their duties and are qualified for their roles.
A.7.1.1 Screening
Control
To qualify for an interview, prospective employees will undergo background checks that are compliant with applicable legislation, rules, and ethics, as well as being proportionate to business needs, the type of information is obtained, and the potential risks.
Implementation Guidance
Privacy, personal identity information security, and employment-related policies should be considered and should include:
– The presence of two references, one business and one personal, regarding the applicant’s character;
– Examine the curriculum vitae of the applicant (for completeness and accuracy);
– Validation of professional and academic qualifications;
– Identification document that is independent of any other document (passport, etc. );
– Additional thorough checks, such as credit and criminal record checks.
Organizations should ensure the following points when hiring a private individual for a designated security position:
– Possesses the expertise required to perform security duties;
– The candidate’s trustworthiness, especially in a strategic role.
When an organization needs to hire or promote someone with access to complex computer facilities, especially if that person will be dealing with sensitive data, especially financial or confidential data, additional verification is often required.
Verification reviews should be defined in procedures, including who is eligible for screening and how, where, and why they are conducted.
Contractors should also be screened. As the company and contractor enter into these contracts, they will specify what screening process to follow and what notification procedures to follow if the screening is not complete or if the results raise concerns.
According to the relevant regulatory framework in each relevant jurisdiction, the company obtains and processes information on all applicants eligible to apply for positions. As required under law, applicants will be notified before the screening begins.
A.7.1.2 Terms and Conditions of Employment
Control
Employment contracts and contractor agreements would outline the company’s and employees’ responsibilities for information security.
Implementation Guidance
Employees and contractors’ responsibilities should correspond to the company’s information security policies and clarify and state the following points:
– Any employee and contractor who may work with sensitive information will be required to sign confidentiality or non-disclosure agreements as a condition of being granted access to information processing facilities;
– Employees’ and contractors’ legal responsibilities, e.g. copyright and data protection laws;
– The employee’s or contractor’s responsibilities for classification of information and handling of the information, the processing of information, and the provision of information services;
– Responsibilities of employees and contractors when handling information from outside sources;
– The actions to be taken when an employee or contractor fails to comply with a company’s security requirements.
As part of the pre-employment process, applicants should have an understanding of their roles and responsibilities regarding information security.
To ensure data security, the organization must ensure that employees and contractors are appropriately informed of the terms and conditions of information security.
In most cases, the terms and conditions of an employment contract should extend for a specified period after the employee’s termination.
Other Information
A Code of Conduct may specify the responsibilities of an employee, vendor, or independent contractor in terms of confidentiality, data security, compliance with ethical standards, appropriate use of the organization’s facilities and equipment, as well as the organization’s responsible practices. There may be instances when an external party associated with the contractor enters into contractual agreements on the contractee’s behalf.
Related Questions
1. Describe ISO 27001 Annex: A.7 Human Resource Security.
2. How is employment history verified by companies?
3. What is the most common background check used by employers?
4. What does HR look for when conducting a background check?
5. What are the controls in ISO 27001 Annex: Annex A.7 Human Resource Security?
6. Which is the best way to run a background check on myself?