What is the primary requirement of Annex A 6.1?

The bottom line is that screening verifies a candidate's suitability. It confirms identity and professional history. This process must happen before the person joins. It reduces the risk of fraud or data theft. Evidence should reside in your internal HR repository.

How does an organisation document screening evidence?

The organisation must maintain verified records of identity and qualifications. Use SharePoint version control to store these sensitive documents. Ensure Jira tickets log the completion date of all checks. This creates a transparent audit trail for external assessors.

Can we use external portals for screening compliance?

External portals can perform the checks. However, your HR team must review and sign off the results internally. Documentation of this review is necessary for ISO 27001 compliance. Auditors want to see internal ownership of the final hiring decision.

ISO 27001:2022 Annex A 6.1 Guide

What is ISO 27001 Annex A 6.1 Screening?

ISO 27001 Annex A 6.1 Screening ensures all candidates undergo background checks before employment. This documented process must integrate into internal HR workflows like SharePoint or Jira. It verifies identity, qualifications, and integrity. This control protects the organisation from internal threats by ensuring trustworthy personnel handle sensitive data.

Auditor’s Eye: The Shortcut Trap

Many companies buy background checking software. They rely on the software dashboard for compliance. This is a mistake. Auditors want to see how your HR team reviews these reports. They want to see decision logs in your internal systems. A green tick in an external portal does not prove management oversight. We prefer seeing the review history within your native SharePoint environment. This demonstrates that you own the screening process and the resulting risks.

ISO 27001:2013 Reference	ISO 27001:2022 Reference	Key Requirement Summary
A.7.1.1 Screening	A.6.1 Screening	Maintain background verification for all candidates and contractors based on business risk.

How to Implement ISO 27001 Annex A 6.1 Screening (Step-by-Step)

Implement screening by embedding verification steps into your existing recruitment tools. Use Jira to track the progress of candidate checks. Store the final results in a secure SharePoint document library. This method ensures compliance is a standard part of your hiring culture. It avoids the need for disconnected compliance software. Follow these steps for an integrated approach.

Create a Screening Policy: Store this policy in your SharePoint Document Management System.
Define Risk-Based Checks: Determine which roles require deeper financial or criminal record checks.
Update Jira Workflows: Ensure no onboarding ticket can close without verified screening data.
Store Evidence Internally: Keep all qualification certificates in a restricted SharePoint folder.
Review Trends: Discuss screening failures in your quarterly security management meetings.

ISO 27001 Annex A 6.1 Screening Audit Evidence Checklist

Focus on manual records and internal document versions. These items prove human oversight and intent. Keep these records ready for your next audit.

A current Screening Policy with a clear version history in SharePoint.
Recruitment logs showing that checks were completed before the start date.
Identity verification records for all permanent and contract staff.
Signed copies of professional references verified by HR.
Internal audit reports reviewing the effectiveness of the screening process.

Relational Mapping

ISO 27001 Clause 7.2: Requirements for personnel competence.
Annex A 6.2: Terms and conditions of employment.
Annex A 5.20: Information security in supplier relationships.

Auditor Interview

Auditor: How do you manage the screening of temporary contractors?

Manager: We use the same Jira onboarding workflow as permanent staff. We require our agencies to provide evidence of screening before access is granted.

Auditor: Where do you record your review of these external checks?

Manager: We log the verification in our SharePoint Contractor Register. It includes the date and the name of the HR reviewer.

Common Non-Conformities

Non-Conformity Type	Description	Remediation Strategy
Automated Complacency	Reliance on a SaaS portal tick. No internal review records exist.	Document HR review of portal reports in SharePoint.
Late Verification	Screening checks completed after the employee’s start date.	Make screening a mandatory gate in the Jira onboarding workflow.
Missing Documentation	No evidence of identity verification for long-term contractors.	Conduct a retrospective audit of all contractor files in SharePoint.

Frequently Asked Questions

What is the first step in ISO 27001 screening?

The first step is defining your screening requirements in a policy. This document should be stored in SharePoint. It must outline which checks are needed for specific job functions. Use risk assessment to justify the level of screening for each role. This proves to auditors that your process is deliberate.

How do we handle screening for international candidates?

International candidates require local equivalent background checks. Document these variations in your internal HR wiki. Use reputable global providers but log the final verification in your own systems. This ensures you maintain a consistent audit trail regardless of the candidate’s location. Management must approve any deviations from the standard policy.

Why is it better to use SharePoint than a SaaS portal for records?

SharePoint keeps sensitive PII data within your organisational boundary. It allows you to apply your own access controls and retention rules. Auditors value the ability to see the full document history. It proves that your organisation is actively managing the data. Disconnected SaaS portals often lack this level of integrated transparency.

LA CASA DE CERTIFICACIÓN