ISO 27001 Annex A 6.1 is about employee screening and performing background checks on people both before you hire them and while they are working for you.
Table of contents
What is ISO 27001 Annex A 6.1?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Screening”.
What is the ISO 27001 Annex A 6.1 control objective?
The formal definition and control objective in the standard is: “Background verification checks on all candidates to become personnel should be carried out prior to joining the organisation and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. “
What is the purpose of ISO 27001 Annex A 6.1?
The purpose of ISO 27001 Annex A 6.1 is “to ensure we have checked people to an appropriate level before they get access to our data and information.“
Is ISO 27001 Annex A 6.1 Mandatory?
ISO 27001 Annex A control 6.1 (Screening in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 6.1 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
You should perform background screening on everyone who works with you. This includes people who are:
- Full time
- Part time
- Temporary
- Resources from outside suppliers
Background Checks and the Law
You should talk to your legal team or a lawyer to get guidance and agree on what is allowed. Their advice always comes first.
Since background checks usually involve gathering, handling, and sharing private personal details and protected information (as described by UK law), your organization must strictly follow all employment laws in every place you operate.
ISO 27001 Background Check Needs
The depth of your background checks will match the need and the risk involved, but here are the usual things you should check:
- References
- Details on the application or resume
- Proof of education or degrees
- Identity
- Criminal record or financial history, if necessary
More Detailed Vetting
The level of checking will match the job and the risk it presents. Not everyone will go through a full and detailed check, but some jobs are naturally risky and need extra checks. Common examples of jobs needing this extra vetting include:
- Administrators
- Users with high system access
- Directors
- People with power over money
- People with legal authority
- Those who handle very private or protected information
- People in information security jobs
Information Security Jobs
For people in information security, you need to be sure they can do the job well and that you can trust them. This seems to push for industry certificates, and while how to measure trust is unclear, you should be aware of this need.
When You Cannot Finish Checks on Time
If you cannot finish the checks in time, the standard gives some very firm suggestions. While you may not agree with all of it, their approach is to delay the start date, not give out company equipment, allow only limited access, or even fire the person. There is a limit to how practical this is, so use your best judgment and have a plan for when check results are late.
Do It and Do It Again
You must have a way to repeat the checks every so often. You decide what “periodically” means. Just write down how often you will do it, but make it fit your needs and risks.
Screening Process
Your screening procedures must clearly name the people in charge and state the reason for the process.
Would you like to review a summary of the common background check requirements?
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will look for:
Employee Screening in HR Work
You need to show that you have a written onboarding process that clearly includes steps for checking new employees. Auditors will probably ask to see proof that you have completed these checks for staff you have recently hired. If this information is private, you can usually show copies of the screening results with sensitive details removed.
Dealing with Failed Checks
Auditors will look at what your organization does when a background check or other screening is not successful. People often forget that not all checks will pass. You must have a set procedure for dealing with checks that fail, even if that means you must tell the Chief Executive Officer (CEO) or other senior managers.
