This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.6.1 Screening.
ISO 27001: 2022 Control Description
Background verification checks on all candidates to become personnel shall be carried out prior to joining the organisation and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
Purpose
To ensure that all personnel are eligible and suitable for the roles for which they are considered and remain eligible and suitable throughout their employment.
Guidance on implementation
A screening process should be conducted for all personnel, including full-time, part-time, and temporary staff. For individuals contracted through service suppliers, screening requirements should be included in the contractual agreements between the organisation and the suppliers.
Information on all candidates being considered for positions within the organisation should be collected and handled in compliance with relevant legislation in the applicable jurisdiction. In some jurisdictions, the organisation may be legally required to inform candidates about the screening activities in advance.
Verification should take into account all relevant privacy, PII protection, and employment legislation and should, where permitted, include the following:
a) Availability of satisfactory references (e.g. business and personal references);
b) Verification (for completeness and accuracy) of the applicant’s curriculum vitae;
c) Confirmation of claimed academic and professional qualifications;
d) Independent identity verification (e.g. passport or other acceptable document issued by appropriate authorities);
e) More detailed verification, such as credit review or criminal record checks, if the candidate is to take on a critical role.
When hiring an individual for a specific information security role, the organisation should ensure that the candidate:
a) Has the necessary competence to perform the security role;
b) Can be trusted to undertake the role, especially if it is critical for the organisation.
If a job, whether at initial appointment or promotion, involves access to information processing facilities, particularly if it involves handling confidential information (e.g. financial, personal, or health care information), the organisation should consider additional, more detailed verifications.
Procedures should define criteria and limitations for verification reviews (e.g. who is eligible to conduct screenings and how, when, and why verification reviews are carried out).
In situations where verification cannot be completed in a timely manner, mitigating controls should be implemented until the review is finished. Examples include:
a) Delayed onboarding;
b) Delayed deployment of corporate assets;
c) Onboarding with restricted access;
d) Termination of employment.
Verification checks should be repeated periodically to confirm the ongoing suitability of personnel, depending on the criticality of the person’s role.