CHAPTER 6: PEOPLE CONTROLS (ISO/IEC 27001, A.6)
6.1 Screening (ISO/IEC 27001, A.6.1)
"Background verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks."
Implementation guidance
Screening is an essential control that can prevent the organisation employing the wrong person. Identification checks, CV reviews, checks of qualifications and verification of character references are possible elements within the screening process, but legal constraints may specify the type and depth of checks permitted. Whatever screening and data collection takes place, care should be taken to ensure that all applicable legislation and regulations are complied with.
Where the proposed position provides access to sensitive, critical and/or personally identifiable information, it is highly advisable to verify the nature of a candidate's responsibilities in previous similar positions. However, some organisations will not, as a matter of policy, offer any detail or opinion other than confirmation of the period employed and the previous position held. Gaps or apparent irregularities in employment should be questioned.
All exchanges and interviews should be fully documented and retained on file throughout employment and for a reasonable period after it ceases, or after rejection of an application pending any possible appeal by the applicant. The required screening processes should take place for all people working within the scope of the ISMS, irrespective of whether these are employees, contractors or third-party users.
Auditing guidance
The auditor should collect evidence that screening procedures for personnel recruitment (including contractors, third-party users and temporary staff) are being consistently applied and include appropriate verification checks. ISO/IEC 27002, 6.1 lists the items to be covered. Organisations should not rely on employee-supplied CVs, endorsement letters or qualifications without suitable independent verification of the data supplied. The auditor needs to check any follow-up actions, such as conversations with referees, which should be documented. Managers and recruitment staff should be interviewed to establish that they are aware of their responsibilities for evaluating and reviewing the background checks for staff in their area of responsibility. The auditor should also check that all information related to personnel verification checks is handled in accordance with all relevant regulations and legislation (e.g. data protection; see 5.34).
6.2 Terms and conditions of employment (ISO/IEC 27001, A.6.2)
"The employment contractual agreements shall state the personnel's and the organization's responsibilities for information security."
Implementation guidance
It is important that employees, contractors and third-party users are aware of their security and legal responsibilities regarding the handling of information, the classifications and use of information processing facilities, and the consequences of not complying with security or legal requirements. This also extends to any contractual obligations that the organisation has entered into that might affect the employee's, contractor's or third-party user's scope of work. Any such responsibilities should be included in terms and conditions of employment.
It is also important that employees, contractors and third-party users sign a confidentiality agreement (see also 6.6) before starting work, and that they understand that such responsibilities may extend beyond their normal working environment and working hours, as well as home working, working on customers' sites and any other form of remote working. Some confidentiality agreements may persist beyond the termination of the individual's employment with the organisation, if legally permitted (see 6.5).
In addition, the organisation's responsibilities for handling the personal data of employees, contractors and third-party users should be stated, for example compliance with data protection legislation (see also 5.34).
Auditing guidance
Auditors should check whether the terms and conditions of employment accurately describe both the employer's and the employee's, contractor's or third-party user's responsibilities for information security. These descriptions should cover all security-relevant aspects of the employee's job, including responsibilities applicable to legal requirements, responsibilities related to classified information, working outside the organisation or outside normal working hours, and those responsibilities that might extend beyond the employee's contract. The terms and conditions should also describe the actions that will be taken if employees do not fulfil their security responsibilities.
The auditor should check that agreement to, and signing of, the terms and conditions of employment is a requirement before any work starts. Employees, contractors and third-party users should also be required to sign a confidentiality agreement (see also 6.6) before accessing any confidential information. The auditor should confirm that procedures are in place to ensure that the terms and conditions of employment are updated if the employee's security responsibilities change in any way, e.g. taking on new roles or using new or different information processing facilities.
The auditor should also check that the organisation's responsibilities for handling personal data are clearly stated, e.g. compliance with data protection legislation (see also 5.34).
6.3 Information security awareness, education and training (ISO/IEC 27001, A.6.3)
"Personnel of the organization and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function."
Implementation guidance
The organisation is vulnerable to the activities of untrained employees, contractors and third-party users. There is a risk of them producing incorrect and corrupted information or losing it completely. Untrained personnel can take wrong actions and make mistakes through ignorance.
All personnel should be trained in the relevant policies and procedures, including security requirements and other business controls. They should also be trained to use all the IT products and packages required of their position, as well as in the relevant security procedures. The organisation should consider when training should be repeated and updated.
Training might be required at different levels as follows.
a) Basic security awareness: every employee, and where relevant, contractor and third-party user, should be given a foundational level of security awareness training. The foundation training should explain the organisation's security policy, objectives and procedures that everyone is required to follow.
b) Supplementary security training: staff with special responsibilities for security (not only security-dedicated roles) should, in addition to basic training, be provided with relevant, specialist training. A training plan should be developed for these individuals, taking into account both the specific knowledge and skill required for their role, and their existing capabilities, understanding and needs.
The general development of security knowledge can benefit significantly from employees attending suitable conferences and carefully selected events, which are frequently free. Ensure that training suppliers use appropriately qualified staff, and that the syllabus is clear and consistent with the organisation's requirements. Training that reflects the ethos and culture of an organisation will be remembered better and more usable than generic training.
The following approach will ensure that training and awareness have the best chance of effectiveness.
Keep it current: Regularly update security education and awareness programmes to address emerging threats and ensure alignment with the latest organisational policies and procedures.
Availability: Make the material supporting training (including procedures and policies) readily available to employees.
Reinforcement: Refresh awareness as necessary via refresher courses or tests to determine whether additional training is required.
Inclusive: Ensure that training caters to all levels of the organisation, including contractors and third-party users, reflecting the need for an holistic approach.
Engagement and understanding: Use engaging training methods that foster a deep understanding of security policies and encourage active participation in security practices.
Performance metrics: Establish training records and use clear metrics to assess the effectiveness of the training programmes. This could involve regular testing, feedback sessions, and practical exercises that simulate security incidents (see also 5.24 and Clause 9.1 of ISO/IEC 27001). All training, test results and...
