When it comes to information security, we often think about firewalls, encryption, and complex passwords. But as any seasoned security professional will tell you, the biggest risk, and the biggest asset is people. In the transition from ISO 27001:2013 to the 2022 update, the way we “vet” the people we trust with our data has seen some important refinements. This is now handled under Annex A 6.1: Screening.
Table of contents
The Structural Shift: From 7.1.1 to 6.1
In the older ISO 27001:2013 standard, employee and contractor background checks were covered under Control 7.1.1. It was part of the “Human Resources Security” domain, which was specifically focused on the lifecycle of employment. While the core intent hasn’t changed, the 2022 version has relocated this to the People Controls theme.
By moving into Theme 6, the standard places “Screening” at the forefront of human-centric security. According to the team at Hightable.io, this reclassification highlights that screening is not just an HR onboarding task; it is a continuous security control that ensures the “trustworthiness” of anyone with access to your information assets.
What Exactly is New in Annex A 6.1?
While the 2013 version (7.1.1) was fairly straightforward about performing checks before hiring, the 2022 update (6.1) is more prescriptive about how those checks should be maintained. The most significant changes include:
- Ongoing Screening: The 2013 version focused heavily on “prior to joining.” The 2022 version explicitly adds that screening should be carried out on an ongoing basis. This means that for certain high-risk roles, a single check at the start of employment might no longer be enough.
- A Risk-Based Approach: The new standard emphasizes that checks must be “proportional to the business requirements, the classification of the information to be accessed, and the perceived risks.” In simple terms: you don’t need to do a deep-dive financial background check on an intern, but you definitely should for your CFO or System Administrator.
- Incomplete Verification Guidance: The 2022 update provides better guidance on what to do when a check can’t be completed or returns a “red flag.” It encourages organizations to have a plan for restricted access or alternative supervision if a screening process is delayed.
The “Ongoing” Requirement: A Practical Challenge
The addition of “ongoing” screening is perhaps the most notable change for organizations transitioning from the 2013 version. It recognizes that a person’s circumstances can change over time. Someone who was perfectly trustworthy five years ago might now be facing financial or personal pressures that increase their “insider threat” risk profile.
Hightable.io suggests that for many businesses, this doesn’t mean re-running every criminal check every year. Instead, it might mean refreshing specific checks when an employee moves to a more sensitive role, or setting a schedule (e.g., every three years) for re-verifying credentials for those in critical positions.
What Does an Auditor Look for in 6.1?
If you are moving to the 2022 standard, your evidence trail needs to be tighter. Under the old 7.1.1, showing a signed contract and a CV was often “good enough.” For 6.1, auditors are looking for a more formal process. They will likely ask to see:
- A Tiered Matrix: Evidence that you have thought about different roles and assigned appropriate levels of screening to each.
- Proof of Consent: Signed and time-stamped documents showing the candidate or employee agreed to the checks.
- Consistency: Verification that you are following your own policy for every new hire and contractor without exception.
- Handling Failures: Documentation showing how you handled cases where a background check didn’t come back perfect.
Why the Change to Annex A 6.1 Matters
The update to 6.1 reflects the modern reality of the “Extended Enterprise.” Today, we don’t just have full-time employees; we have contractors, consultants, and offshore partners. ISO 27001:2022 ensures that all these groups are screened appropriately before they touch your data.
As noted by Hightable.io, the shift toward ongoing and proportional screening turns a “once-and-done” administrative task into a proactive risk management tool. It ensures that your “circle of trust” remains secure even as people move within your organization or as the business landscape changes.
Preparing for Your Transition
If you are currently transitioning from ISO 27001:2013, don’t just copy-paste your old HR policy. Take the time to map your roles against your information classification. Ensure your onboarding process is clearly documented and that you have a “re-screening” trigger for role changes or periodic reviews.