ISO 27701, Clause 6.4 – Human Resource Security

ISO 27701 Controls and Clauses Explained

Book a demo

business,team,discussion,meeting,corporate,concept

Part and parcel of fostering a proactive approach to privacy protection involves implementing robust human resource security controls that govern the suitability, and competency, of all personnel who are expected to interact with PII on the organisation’s behalf.

ISO classifies such measures into two categories:

  1. Pre-employment screening (references, ID checks etc).
  2. The contractual obligations that personnel are expected to adhere to once they become part of the organisation.

What’s Covered in ISO 27701 Clause 6.4

Clause 6.4 contains two main sub-clauses that contain specific guidance linked to corresponding information within ISO 27002, albeit under the guise of privacy protection, rather than general information security:

  1. ISO 27701 6.4.1.1 – Screening (References ISO 27002 Control 6.1)
  2. ISO 27701 6.4.1.2 – Terms and Conditions of Employment (References ISO 27002 Control 6.2)

Unlike other parts of ISO 27701, neither clause is relevant to any specific area of GDPR, nor do they contain any additional guidance for PIMS-related activities.

Due to a number of legislative and contractual factors, ISO 27701 6.4.1.2 (dealing chiefly with employment contracts) contains information that requires cross-referencing with various other clauses contained within ISO 27002. Organisations should therefore look closely at their contractual terms and conditions, and adapt their HR operation accordingly.

Achieve ISO 27701 Success

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 6.4.1.1 – Screening

References ISO 27002 Control 6.1

Organisations should create a screening process to bolster human resource security, inclusive of all full-time and part-time personnel, and should also be extended to third-party contractors through the relevant supplier agreements.

Organisations should ensure that they are mindful of their responsibility as a PII processor when collecting information on candidates and suppliers, including staying on the right side of national and devolved legislation that govern how candidates are informed of screening activities before they are carried out.

Background checks should include at a minimum:

  • References (ideally a business and a personal reference).
  • A complete verification of the candidate’s resume.
  • Verification of academic, professional and vocational qualifications and certifications.
  • IDV (Identity Verification) that takes into account government-issued ID material, or an appropriate level of verification where such documents aren’t able to be produced (e.g. bank statements or local authority correspondence).

If the candidate is to be employed in a role that is commercially sensitive, or endows the candidate with a large amount of trust were they to be successful in their application, organisations should also consider carrying out enhanced vetting procedures – such as credit checks and/or criminal record checks – as appropriate.

Organisations should also consider ways in which to verify the ongoing suitability of any personnel who are employed within a critical role. Such procedures should be decided on a job-by-job basis, and no distinction should be made between new staff, or existing staff that have been promoted to a role that features a greater amount of responsibility.

Employment screening is not always able to be completed in a timely manner. Where this occurs, organisations should consider alternative courses of action that minimises the risks associated with an unscreened member of staff, including:

  • Delayed onboarding.
  • Restricted access to systems.
  • Withholding company assets and equipment.
  • Termination of employment.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

We’re cost-effective and quick

Discover how easy ISO 27701 is with ISMS.online
Get your quote

ISO 27701 Clause 6.4.1.2 – Terms and Conditions of Employment

References ISO 27002 Control 6.2

Employment contracts should be drafted and signed with organisational information security in mind, including any topic-specific policies that have been developed to help bolster privacy protection on a departmental basis.

Contracts should have a degree of privacy protection measures that are proportional to the role they are attached to, and should be reviewed in the face of prevailing legislation, or regulatory/contractual obligations.

Privacy protection roles and responsibilities should be widely disseminated to candidates throughout the recruitment process. Employment contracts should include:

  1. NDA clauses which are extended to all staff who deal with confidential information and/or secure organisational assets (see ISO 27002 6.6).
  2. All of the organisation and employee’s legal obligations, especially any that deal with IP or privacy protection see (see ISOs 27002 5.32 and 5.34).
  3. All relevant responsibilities concerning the classification and management of information, processing facilities and ICT services (see ISOs 27002 5.9 and 5.13).
  4. What the consequences are for any personnel that flaunt the organisation’s privacy protection policies.
  5. Where relevant, a series of responsibilities that carry over for an appropriate period of time after personnel have left the organisation (e.g., NDAs, IP stipulations).

Along with ongoing employment responsibilities, personnel may also be asked to adhere to an organisation-wide ‘code of conduct’, that sets out the basic principles of an organisation’s privacy protection operation, and PII-related activities.

Relevant ISO 27002 Controls

  • ISO 27002 5.9
  • ISO 27002 5.13
  • ISO 27002 5.32
  • ISO 27002 5.34
  • ISO 27002 6.4
  • ISO 27002 6.5
  • ISO 27002 6.6

Supporting Controls From ISO 27002 and GDPR

ISO 27701 Clause IdentifierISO 27701 Clause NameISO 27002 ControlAssociated GDPR Articles
6.4.1.1Screening6.1 – Screening for ISO 27002None
6.4.1.2Terms and Conditions of Employment6.2 – Terms and Conditions of Employment for ISO 27002None

How ISMS.online Helps

Our cloud-based platform allows you to access all your PIMS resources in one place. You can use our easy-to-use platform to document everything you need to show that you meet the requirements of ISO 27701.

Our Assured Results Method (ARM) demystifies the requirements of ISO 27701 and gives you confidence as you progress towards the attainment of certification. We have an in-house team of information security experts who can provide guidance and answer questions to help you on your way to ISO 27701 certification.

Find out more by booking a demo.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

We can’t think of any company whose service can hold a candle to ISMS.online.
Vivian Kroner
ISO 27001, 27701 and GDPR lead implementer Aperian Global
100% of our users pass certification first time
Book your demo

Streamline your workflow with our new Jira integration! Learn more here.