ISO/IEC 27001 •

ISO 27001 – Annex A.7: Human Resource Security

Get ISO 27001 certified 5 x faster with ISMS.online

See it in action
By Max Edwards | Updated 14 December 2023

Please be aware that as of October 2022, ISO 27001:2013 was revised and is now known as ISO 27001:2022. Please see the full revised ISO 27001 Annex A Controls to see the most up-to-date information.

See revised Annex A controls

Jump to topic


What is the objective of Annex A.7.1?

Annex A.7.1 is about prior to employment. The objective in this Annex is to ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. It also covers what happens when those people leave or change roles.

It’s an important part of the information security management system (ISMS) especially if you’d like to achieve ISO 27001 certification.

A.7.1.1 Screening

A good control covers background verification and competence checks on all candidates for employment. These must be carried out in accordance with the relevant laws, regulations and ethics, and should be proportional to the business requirements, the classification of the information that will be accessed and the perceived risks associated.

For example, staff accessing higher level information assets that carry more risk may be subject to much more stringent checks than staff who only ever get access to public information or handle assets with limited threat. Putting in place adequate and proportionate HR controls at all stages of employment helps to reduce the likelihood of accidental or malicious threats.

The screening should also take place for contractors (unless their parent organisation meets your broader security controls e.g. has their own ISO 27001 and does their own background checks).

An auditor will expect to see a screening process with clear procedures being operated consistently each time to also help avoid any preference/prejudice risks too. Ideally this will be aligned with the overall organisation hiring process.

A.7.1.2 Terms & Conditions of Employment

The contractual agreement with employees and contractors must state their and the organisation’s responsibilities for information security. These agreements are a good place to put key information security general and individual responsibilities as they carry legal weight – meaning they are backed up by the law.

This is also very important as regards GDPR and the new Data Protection Act 2018. They should reference and cover a whole range of control areas including overall compliance with the ISMS as well as more specifically acceptable use, IPR ownership, return of assets etc.

We recommend working with an HR Lawyer if you are unsure as the consequences for getting employment contracts wrong from an information security perspective (and other dimensions) can be significant.


What is the objective of Annex A.7.2?

The objective in this Annex is to ensure that employees and contractors are aware of and fulfil their information security responsibilities during employment.

A.7.2.1 Management responsibilities

A good control describes how employees and contractors apply information security in accordance with the policies and procedures of the organisation.

The responsibilities placed upon managers should include requirements to; Ensure that those they are responsible for understand the information security threats, vulnerabilities and controls relevant to their job roles and receive regular training (as per A7.2.2); Ensure buy-in to proactive and adequate support for relevant information security policies and controls; and Reinforce the requirements of the terms and conditions of employment.

Managers play a critical role in ensuring security consciousness and conscientiousness throughout the organisation and in developing an appropriate “security culture”.

A.7.2.2 Information Security Awareness, Education & Training

All employees and relevant contractors must receive appropriate awareness education and training to do their job well and securely. They must receive regular updates in organisational policies and procedures when they are changed too, along with a good understanding of the applicable legislation that affects them in the role.

It is common for the information security team to partner with HR or a Learning & Development team to carry out skills, knowledge, competence and awareness assessments and to plan and implement a programme of awareness, education and training throughout the employment lifecycle (not just at induction). You need to be able to demonstrate that training and compliance to auditors.

Also carefully consider how the training and awareness is delivered to give the staff and contractor resource the best chance of understanding and following it – this means careful attention to content and medium for delivery.


What is the objective of Annex A.7.3?

Annex A.7.3 is about termination and change of employment. The objective in this Annex is to protect the organisation’s interests as part of the process of changing and terminating employment.

A.7.3.1 Termination or change of employment responsibilities

Information security responsibilities and obligation that remain valid after termination or change of employment must be defined, communicated to the employee or contractor and enforced. Examples include keeping information confidential and not leaving with information that belongs to the organisation.

It is really important to ensure that information remains protected after an employee or contractor leaves the organisation, as people themselves are walking data stores. The contractual terms & conditions should reinforce this, and the leaver’s process and/or contract termination process (including return of assets) should include a reminder to individuals that they have some responsibilities to the organisation even after they have left.

An auditor will want to see evidence of leavers having returned their assets and the process being closed off and documented to demonstrate assets are updated in the asset inventory (A8.1.1) where appropriate too.

This is not just about termination and exit. If an employee changes role e.g. moving from operations to sales, you should do a review to demonstrate they no longer have access to information assets that are not required in the new role, and are provisioned with access to information assets needed for the future.

A.7.2.3 Disciplinary Process

There needs to be a documented disciplinary process in place and communicated (in line with A7.2.2 above). Whilst focused here for disciplinary action following security breaches, it can also be dovetailed with other disciplinary reasons. If your organisation already has a recognised HR disciplinary process then ensure it covers information security in the manner required for the ISO 27001:2013 standard.

Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

ISO 27001 requirements


ISO 27001 Annex A Controls


About ISO 27001


ISMS.online launches a new Public API. Click here to find out more