Human Resource Security
Human Resource Security
Human Resource Security
1 Screening
A good control covers background verification and competence checks on all candidates for
employment. These must be carried out in accordance with the relevant laws, regulations and
ethics, and should be proportional to the business requirements, the classification of the
information that will be accessed and the perceived risks associated. For example, staff accessing
higher level information assets that carry more risk may be subject to much more stringent checks
than staff who only ever get access to public information or handle assets with limited threat.
Putting in place adequate and proportionate HR controls at all stages of employment helps to
reduce the likelihood of accidental or malicious threats. The screening should also take place for
contractors (unless their parent organisation meets your broader security controls e.g. has their
own ISO 27001 and does their own background checks.) An auditor will expect to see a screening
process with clear procedures being operated consistently each time to also help avoid any
preference/prejudice risks too. Ideally this will be aligned with the overall organisation hiring
process.
The contractual agreement with employees and contractors must state their and the organisation’s
responsibilities for information security. These agreements are a good place to put key information
security general and individual responsibilities as they carry legal weight – meaning they are
backed up by the law. This is also very important as regards GDPR and the new Data Protection
Act 2018. They should reference and cover a whole range of control areas including overall
compliance with the ISMS as well as more specifically acceptable use, IPR ownership, return of
assets etc. We recommend working with an HR Lawyer if you are unsure as the consequences for
getting employment contracts wrong from an information security perspective (and other
dimensions) can be significant.
We make achieving ISO 27001 easy
A good control describes how employees and contractors apply information security in accordance
with the policies and procedures of the organisation. The responsibilities placed upon managers
should include requirements to; Ensure that those they are responsible for understand the
information security threats, vulnerabilities and controls relevant to their job roles and receive
regular training (as per A7.2.2); Ensure buy-in to proactive and adequate support for relevant
information security policies and controls; and Reinforce the requirements of the terms and
conditions of employment. Managers play a critical role in ensuring security consciousness and
conscientiousness throughout the organisation and in developing an appropriate “security
culture”.
A.7.2.2 Information Security Awareness, Education & Training
All employees and relevant contractors must receive appropriate awareness education and training
to do their job well and securely. They must receive regular updates in organisational policies and
procedures when they are changed too, along with a good understanding of the applicable
legislation that affects them in the role. It is common for the information security team to partner
with HR or a Learning & Development team to carry out skills, knowledge, competence and
awareness assessments and to plan and implement a programme of awareness, education and
training throughout the employment lifecycle (not just at induction). You need to be able to
demonstrate that training and compliance to auditors. Also carefully consider how the training and
awareness is delivered to give the staff and contractor resource the best chance of understanding
and following it – this means careful attention to content and medium for delivery.
There needs to be a documented disciplinary process in place and communicated (in line with
A7.2.2 above). Whilst focused here for disciplinary action following security breaches, it can also
be dovetailed with other disciplinary reasons. If your organisation already has a recognised HR
disciplinary process then ensure it covers information security in the manner required for the ISO
27001:2013 standard.
Annex A.7.3 is about termination and change of employment. The objective in this Annex is to
protect the organisation’s interests as part of the process of changing and terminating employment.
Information security responsibilities and obligation that remain valid after termination or change
of employment must be defined, communicated to the employee or contractor and
enforced. Examples include keeping information confidential and not leaving with information that
belongs to the organisation.
It is really important to ensure that information remains protected after an employee or contractor
leaves the organisation, as people themselves are walking data stores. The contractual terms &
conditions should reinforce this, and the leaver’s process and/or contract termination process
(including return of assets) should include a reminder to individuals that they have some
responsibilities to the organisation even after they have left.
An auditor will want to see evidence of leavers having returned their assets and the process being
closed off and documented to demonstrate assets are updated in the asset inventory (A8.1.1)
where appropriate too.
This is not just about termination and exit. If an employee changes role e.g. moving from operations
to sales, you should do a review to demonstrate they no longer have access to information assets
that are not required in the new role, and are provisioned with access to information assets needed
for the future.