Part and parcel of fostering a proactive approach to privacy protection involves implementing robust human resource security controls that govern the suitability, and competency, of all personnel who are expected to interact with PII on the organisation’s behalf.
ISO classifies such measures into two categories:
Clause 6.4 contains two main sub-clauses that contain specific guidance linked to corresponding information within ISO 27002, albeit under the guise of privacy protection, rather than general information security:
Unlike other parts of ISO 27701, neither clause is relevant to any specific area of GDPR, nor do they contain any additional guidance for PIMS-related activities.
Due to a number of legislative and contractual factors, ISO 27701 6.4.1.2 (dealing chiefly with employment contracts) contains information that requires cross-referencing with various other clauses contained within ISO 27002. Organisations should therefore look closely at their contractual terms and conditions, and adapt their HR operation accordingly.
Organisations should create a screening process to bolster human resource security, inclusive of all full-time and part-time personnel, and should also be extended to third-party contractors through the relevant supplier agreements.
Organisations should ensure that they are mindful of their responsibility as a PII processor when collecting information on candidates and suppliers, including staying on the right side of national and devolved legislation that govern how candidates are informed of screening activities before they are carried out.
Background checks should include at a minimum:
If the candidate is to be employed in a role that is commercially sensitive, or endows the candidate with a large amount of trust were they to be successful in their application, organisations should also consider carrying out enhanced vetting procedures – such as credit checks and/or criminal record checks – as appropriate.
Organisations should also consider ways in which to verify the ongoing suitability of any personnel who are employed within a critical role. Such procedures should be decided on a job-by-job basis, and no distinction should be made between new staff, or existing staff that have been promoted to a role that features a greater amount of responsibility.
Employment screening is not always able to be completed in a timely manner. Where this occurs, organisations should consider alternative courses of action that minimises the risks associated with an unscreened member of staff, including:
Book a tailored hands-on session
based on your needs and goals
Book your demo
Employment contracts should be drafted and signed with organisational information security in mind, including any topic-specific policies that have been developed to help bolster privacy protection on a departmental basis.
Contracts should have a degree of privacy protection measures that are proportional to the role they are attached to, and should be reviewed in the face of prevailing legislation, or regulatory/contractual obligations.
Privacy protection roles and responsibilities should be widely disseminated to candidates throughout the recruitment process. Employment contracts should include:
Along with ongoing employment responsibilities, personnel may also be asked to adhere to an organisation-wide ‘code of conduct’, that sets out the basic principles of an organisation’s privacy protection operation, and PII-related activities.
| ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27002 Control | Associated GDPR Articles |
|---|---|---|---|
| 6.4.1.1 | Screening | 6.1 – Screening for ISO 27002 | None |
| 6.4.1.2 | Terms and Conditions of Employment | 6.2 – Terms and Conditions of Employment for ISO 27002 | None |
Our cloud-based platform allows you to access all your PIMS resources in one place. You can use our easy-to-use platform to document everything you need to show that you meet the requirements of ISO 27701.
Our Assured Results Method (ARM) demystifies the requirements of ISO 27701 and gives you confidence as you progress towards the attainment of certification. We have an in-house team of information security experts who can provide guidance and answer questions to help you on your way to ISO 27701 certification.
Find out more by booking a demo.
We can’t think of any company whose service can hold a candle to ISMS.online.
