Implementing ISO 27001 Annex A 6.1 Screening
Building a secure organisation starts with people. Before you hand over the keys to your data or systems, you need to know who you are dealing with. This is the core purpose of Annex A 6.1. In the 2022 version of the standard, this control is simply called “Screening”.
As a certification body, we often see organisations treat this as a simple box-ticking exercise. They might collect a CV and make a quick phone call. However, ISO 27001 requires more structure than that. We want to see that you understand the risks associated with the people you hire. This guide will walk you through what we expect to see when we come to audit you.
Table of contents
Understanding the Requirement
The standard asks you to perform background verification checks on all candidates for employment, contractors, and third-party users. These checks must be done before they join the organisation. If that is not possible, the checks must be completed as soon as possible after they start.
The key phrase here is “proportional to the risk”. You do not need to run a forensic financial investigation on a summer intern who only accesses the lunch menu. However, a database administrator with access to all your client data requires a much deeper level of scrutiny. The checks should match the level of trust you are placing in that person.
How to Plan Your Screening Process
You need a policy that defines who gets checked and how. This ensures consistency. You cannot check one developer thoroughly and ignore another just because you needed them to start urgently. We look for a repeatable process.
Start by defining the roles in your company. Group them by risk level. Roles that handle sensitive information or financial data are high risk. Roles with no access to sensitive data are low risk. Once you have these groups, decide what checks apply to each.
Common checks include identity verification, criminal record checks, credit checks, and academic verification. You should also check references from past employers. Make sure you document which roles require which checks. This creates your “screening standard” or procedure.
Dealing with Laws and Regulations
You must always respect the law. ISO 27001 does not override local labour laws or privacy regulations like the GDPR. In some countries, you cannot perform criminal record checks for certain roles. In others, you cannot ask about credit history.
When we audit you at ISO27001.com, we check that you have considered these legal constraints. You should explicitly state in your policy that checks are carried out in accordance with relevant laws and ethics. If you cannot perform a certain check due to legal reasons, document that risk and how you manage it.
The Auditor Perspective: What We Look For
When an auditor arrives, they will ask to see your Human Resources or onboarding process. We are looking for evidence. We will likely select a sample of recent hires and ask to see their screening files.
We expect to see a completed checklist or a report for each person. If your policy says you check references, we want to see the email or the notes from the call. If you require a criminal record check, we want to see the certificate or the confirmation that it was clear. Missing evidence is a very common source of non-conformity.
We also look at timing. Did the checks happen before the person started working? If they started before the checks were done, was their access restricted? We want to see that you managed the risk during that gap.
Screening Contractors and Third Parties
Many organisations forget that this control applies to contractors too. If you hire a freelance consultant or use a staffing agency, you are still responsible. You must ensure they have been screened.
You can do this in two ways. You can screen them yourself, or you can write it into the contract with the agency. If the agency does it, you must ask for assurance. We often ask to see the contract where the agency guarantees they have vetted their staff to your standards.
Common Mistakes to Avoid
One of the biggest mistakes is failing to screen senior management. Often, founders or directors are excluded from the process because they are trusted implicitly. From an ISO 27001 perspective, this is a gap. Senior leaders often have the most access and pose the biggest risk if things go wrong.
Another mistake is relying solely on automated emails. While software helps, a human should review the results. If a check comes back with issues, we want to see what decision you made. Did you hire them anyway with extra supervision? Did you withdraw the offer? The decision process matters just as much as the check itself.
Maintaining the Standard
Implementing Annex A 6.1 is not just about the first week of employment. You should consider when to re-screen staff. If someone is promoted to a highly sensitive role, does that trigger a new round of checks? Your policy should answer this question.
By setting clear rules and keeping solid records, you protect your business and make your audit much smoother. It shows us that you take security seriously from the very first interaction with your team.