Control 6.1 deals with the background checks that are required on all employees and selected suppliers, prior to them joining the organisation.
Control 6.1 advocated for a proportional approach to verification checks that is linked to the unique requirements of the organisation, and encompasses all the relevant laws, regulations and ethical standards that an organisation holds themselves to, wherever they operate.
When carrying out checks, organisations should be mindful of the type of information that each employee/supplier will come into contact with throughout their job role, and any associated risks.
Control 6.1 is a preventive control that maintains risk by establishing a screening process that vets all full-time, part-time and casual/temporary staff and suppliers, to ensure that only fit and proper personnel are able to access information.
Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
---|---|---|---|---|
#Preventive | #Confidentiality #Integrity #Availability | #Protect | #Human Resource Security | #Governance and Ecosystem |
Employment verification checks are usually carried out prior to a person starting their job. As such, ownership of 6.1 should rest with an organisation’s HR Manager.
Screening activities should include the following checks:
Background verification often includes the collection, processing and transfer of PII and/or protected characteristics (UK law). As such, organisations should ensure strict adherence to any prevailing employment legislation, wherever they operate.
This usually involves informing the candidate of the screening process (both in terms of the data being processed and what it’s being used for), prior to the verification being carried out.
Screening procedures should clearly outline the personnel responsible for carrying out the screening on behalf of the organisation, and the underlying reason as to why screening is being conducted in the first place.
If screening is to be carried out on suppliers, it’s important to include this requirement in any contractual agreements prior to services being rendered.
Once an employee/supplier has been vetted and hired, the organisation should take steps to ensure that the candidate has the ability to carry out their role as advertised, and has proven themselves to be a trustworthy individual, especially if their role includes any information security-related activities.
Control 6.1 gives organisations considerable leeway on the circumstances that are required prior to initiating enhanced vetting controls.
Such procedures should be decided on a job-by-job basis, and no distinction should be made between new staff, or existing staff that have been promoted to a role that features a greater amount of responsibility.
Roles that require enhanced screening can be defined as any that deal with information processing as a daily activity (e.g. HR), or any role that includes the handling or processing of PII, financial information or any other type of sensitive data.
Organisations should also consider ways in which to verify the ongoing suitability of any personnel who are employed within a critical role.
In certain circumstances (urgent hires, third-party delays, application mistakes etc.), screening is not always able to be completed in a timely manner.
Where this occurs, organisations should consider alternative courses of action that minimises the risks associated with an unscreened member of staff, including:
27002:2022-6.1 replaces 27002:2013-7.1.1 (Screening).
27002:2022-6.1 contains the same basic guidance points as 27002:2013-7.1.1, in advising organisations on what information is required to be verified prior to an employee/supplier starting their job (references, CV, identity etc).
Building on the basic guidance offered, 27002:2022-6.1 also contains additional information on how organisations should react to incomplete verifications, including potential termination.
The ISMS.online platform provides a range of powerful tools that simplify the way you can document, implement, maintain and improve your information security management system (ISMS) and achieve compliance with ISO 27002.
Get in touch today to book a demo.
We’ll give you an 81% headstart
from the moment you log in
Book your demo
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
5.7 | New | Threat intelligence |
5.23 | New | Information security for use of cloud services |
5.30 | New | ICT readiness for business continuity |
7.4 | New | Physical security monitoring |
8.9 | New | Configuration management |
8.10 | New | Information deletion |
8.11 | New | Data masking |
8.12 | New | Data leakage prevention |
8.16 | New | Monitoring activities |
8.23 | New | Web filtering |
8.28 | New | Secure coding |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
6.1 | 07.1.1 | Screening |
6.2 | 07.1.2 | Terms and conditions of employment |
6.3 | 07.2.2 | Information security awareness, education and training |
6.4 | 07.2.3 | Disciplinary process |
6.5 | 07.3.1 | Responsibilities after termination or change of employment |
6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
6.7 | 06.2.2 | Remote working |
6.8 | 16.1.2, 16.1.3 | Information security event reporting |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
7.1 | 11.1.1 | Physical security perimeters |
7.2 | 11.1.2, 11.1.6 | Physical entry |
7.3 | 11.1.3 | Securing offices, rooms and facilities |
7.4 | New | Physical security monitoring |
7.5 | 11.1.4 | Protecting against physical and environmental threats |
7.6 | 11.1.5 | Working in secure areas |
7.7 | 11.2.9 | Clear desk and clear screen |
7.8 | 11.2.1 | Equipment siting and protection |
7.9 | 11.2.6 | Security of assets off-premises |
7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
7.11 | 11.2.2 | Supporting utilities |
7.12 | 11.2.3 | Cabling security |
7.13 | 11.2.4 | Equipment maintenance |
7.14 | 11.2.7 | Secure disposal or re-use of equipment |