ISO 27001 Annex : A.7 Human Resource Security

A.7.1  Prior to Employment

ISO 27001 Annex : A.7 Human Resource Security Its object is to make sure both employees and vendors recognize their duties and are suitable for their positions.

A.7.1.1  Screening

Control- Background verification checks on all job applicants will be performed in compliance with applicable rules, legislation, and ethics and should be proportionate to business criteria, classification of the information to be obtained, and potential risks.

Implementation Guidance- All applicable privacy, personal identity information security, and employment-based policies, should be taken into consideration and should include the following:

  • Availability of appropriate references to character, e.g. one business and one personal;
  • A verification of the applicant’s curriculum vitae (for completeness and correctness);
  • Verification of asserted professional and academic qualifications;
  • Independent biometric identification (passport or similar document);
  • Further thorough checking; such as credit verification or criminal record verification.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

If recruiting a private individual for a designated security position, organizations should ensure the following points:-

  • Has the expertise needed to carry out the security role;
  • Whether the candidate can be trusted, especially when the organization’s role is important.

 When a position requires a person with access to information processing facilities, either for initial appointment or promotion, and in especially when they handle sensitive information, such as financial information or confidential information, the organization should often require further verification.

“No matter how good or successful you are or how clever or crafty, your business and its future are in the hands of people you hire.”
-Akio Morita,

Procedures should identify requirements and limitations for verification reviews, such as who is eligible for screening, and how, where, and why verification reviews are performed.

A process of screening for contractors should also be guaranteed. In these situations, the agreement between the company and thus the contractor will specify the requirements for the screening and notification protocols to be followed if the screening has not been completed or if the results give rise to doubts or concerns.

Information on all applicants eligible for positions within the company will be obtained and processed in compliance with the applicable regulations in the relevant jurisdiction. Taking into account the law in place, candidates will be notified in advance of the screening activities.

This is where Human Resources plays a crucial role in the organization, beginning with having the right selection, making them aware of their roles and responsibilities, and in addition, the role of HR comes with great responsibility and security for the organization. Training sessions at Infosavvy provide you with an in-depth knowledge of the security measures that HR needs to take while hiring a candidate, the guidelines for this security role are covered in IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification). Infosavvy coaches help you develop your abilities and learn to recruit people who are qualified or expertise for a specific role. we flood you with many examples so to make your learning more interactive and efficient.

A.7.1.2  Terms and Conditions of Employment

Control- Contract agreements with employees and contractors would set out their responsibility for information security, and hence the responsibility of the company.

Implementation Guidance- The contractual responsibilities of employees or contractors should represent the information security policies of the company in addition to clarifying and stating the following points:-

  • That and employee and contractor who has access to sensitive information will sign a confidentiality or non-disclosure agreement before access to information processing facilities is granted;
  • Legal responsibilities and rights of the employee or contractor, e.g. copyright or data protection legislation;
  • Responsibilities for classifying information and handling organizational assets related to information, information processing and information services managed by the employee or contractor;
  • Employee or contractor’s responsibilities in the handling of information received from other companies or from outside parties;
  • Actions to be taken where the employee or contractor fails to comply with the security requirements of the organization.

Roles and responsibilities in information security should be communicated to job applicants during the pre-employment process.

The organization should see to it that the terms and conditions of information security are agreed by the employees and the contractor as appropriate for the nature and scope of their access to information systems and services assets of the organization.

Responsibilities under the terms and conditions of employment should, where appropriate, continue for a defined period after the termination of employment.

Other Information- The Code of Conduct can be used to set out the information responsibilities of the employee or contractor with respect to confidentiality, data security, ethics, proper use of the organization’s equipment and facilities, as well as the responsible practices required by the organization. An external party to which the contractor is associated may be expected to enter into contractual agreements on behalf of the contracted person.

Also Read : ISO 27001 Annex : A.6.2 Mobile Devices and Teleworking

Questions related to this topic
  1. What is ISO 27001 Annex :  A.7 Human Resource Security?
  2. How do companies verify employment history?
  3. What background check do most employers use?
  4. What does HR look for in a background check?
  5. Explain contols of ISO 27001 Annex : Annex A.7 Human Resource Security?
  6. How do I run an employment verification on myself?

ISO 27001 Requirements


Clause 4.2 Understanding the needs and expectations of interested parties 
Clause 4.4 Information security management system
Clause 4.3 Determining the scope of the information security management system
Clause 5.1 Leadership and commitment
Clause 5.2 Policy
Clause 5.3 Organizational roles, responsibilities and authorities 
Clause 6.1 Actions to address risks and opportunities
Clause 6.1.2 Information security risk assessment process
Clause 6.1.3 Information security risk treatment
Clause 6.2 Information security objectives & planning
Clause 7.1 Resources
Clause 7.2 Competence
Clause 7.3 Awareness
Clause 7.4 Communication
Clause 7.5 Documented information Implementation Guideline
Clause 8.1 Operational planning & control
Clause 8.2 Information security risk assessment
Clause 8.3 Information security risk treatment
Clause 9.1 Performance evaluation Monitoring, measurement, analysis & evaluation
Clause 9.2 Internal audit
Clause 9.3 Management review
Clause 10.1 Non conformity and corrective action
Clause 10.2 Continual Improvement 

ISO 27001 Annex A Controls


Annex A.5 Information Security Policies
Annex A.6 Organization of Information Security
Annex A.6.2 Mobile Devices and Teleworking
Annex A.7.2 During Employment
Annex A.7.3 Termination and Change of Employment
Annex A.8 Asset Management
Annex A.8.1.3 Acceptable Use of Assets & A.8.1.4 Return of Assets
Annex A.8.2 Information Classification
Annex A.8.2.2 Labeling of Information & A.8.2.3 Handling of Assets
Annex A.8.3 Media Handling
Annex A.9 Access Control
Annex A.9.1.2 Access to Networks and Network Services
Annex A.9.2 User Access Management
Annex A.9.2.3 Management of Privileged Access Rights  
Annex A.9.2.4 Management of Secret Authentication Information of Users
Annex A.9.2.5 Review of User Access Rights 
Annex A.9.2.6 Removal or Adjustment of Access Rights
Annex A.9.3 User Responsibilities
Annex A.9.4 System and Application Access Control
Annex A.9.4.4 Use of Privileged Utility Programs 
Annex A.9.4.5 Access Control to Program Source Code
Annex A.10 Cryptography
Annex A.11 Physical and Environmental Security
Annex A.11.2 Equipment
Annex A.11.1.3 Securing Offices, Rooms and Facilities
Annex A.11.1.4 Protecting Against External and Environmental Threats
Annex A.11.1.5 Working in Secure Areas
Annex A.11.1.6 Delivery and Loading Areas
Annex A.11.2.4 Equipment Maintenance
Annex A.11.2.5 Removal of Assets
Annex A.11.2.6 Security of Kit and Assets Off-Premises
Annex A.11.2.7 Secure Disposal or Re-use of Equipment
Annex A.11.2.8 Unattended User Equipment
Annex A.11.2.9 Clear Desk and Clear Screen Policy
Annex A.12 Operations Security
Annex A.12.2 Protection from Malware
Annex A.12.3 Backup
Annex A.12.4 Logging and Monitoring
Annex A.12.5 Control of Operational Software
Annex A.12.6 Technical Vulnerability Management
Annex A.12.7 Information Systems Audit Considerations
Annex A.13 Communications Security
Annex A.13.2 Information Transfer
Annex A.13.2.3 Electronic Messaging
Annex A.13.2.4 Confidentiality or Non-Disclosure Agreements
Annex 14 System Acquisition, Development and Maintenance
Annex A.14.1.2 Securing Application Services on Public Networks
Annex A.14.1.3 Protecting Application Services Transactions
Annex A.14.2 Security in Development and Support Processes
Annex A.14.2.3 Technical Review of Applications after Operating Platform Changes
Annex A.14.2.4 Restrictions on Changes to Software Packages
Annex A.14.2.5 Secure System Engineering Principles
Annex A.14.2.6 Secure Development Environment
Annex A.14.2.7 Outsourced Development
Annex A.14.2.8 System Security Testing
Annex A.14.2.9 System Acceptance Testing
Annex A.14.3 Test data
Annex A.15 Supplier Relationships
Annex A.15.1.2 Addressing Security Within Supplier Agreements
Annex A.15.1.3 Information and Communication Technology Supply Chain
Annex A.15.2 Supplier Service Delivery Management
Annex A.16 Information Security Incident Management
Annex A.16.1.2 Reporting Information Security Events
Annex A.16.1.3 Reporting Information Security Weaknesses
Annex A.16.1.4 Assessment of and Decision on Information Security Events
Annex A.16.1.5 Response to Information Security Incidents
Annex A.16.1.6 Learning from Information Security Incidents
Annex A.16.1.7 Collection of Evidence
Annex A.17 Information Security Aspects of Business Continuity Management
Annex A.17.1.3 Verify, Review and Evaluate Information Security Continuity
Annex A.18 Compliance
Annex A.18.1.3 Protection of Records
Annex A.18.1.4 Privacy and Protection of Personally Identifiable Information
Annex A.18.1.5 Regulation of Cryptographic Controls
Annex 18.2 Information Security Reviews

About ISO 27002



This Blog Article is posted by
Infosavvy
, 5B 306 Riverside Greens, Panvel, Raigad 410206 Maharashtra, India

Contact us – www.infocerts.com

https://goo.gl/maps/mHkyURHmeFXyGiVw5

Leave a Comment

Your email address will not be published. Required fields are marked *

Open Whatsapp chat
Whatsapp Us
Chat with us for faster replies.