ISO 27001 Annex A.7 – Human Resource Security

Annex A.7.1 ‘Prior to employment’ requires the company to ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.

A.7.1 forms part of the information security management system (ISMS) and is an integral step to achieve ISO 27001 certification. It contains the two controls listed below.

A.7.1.1 Screening

Annex 7.1.1 or Control A.7.1.1 stipulates that background verification checks should be carried out on all candidates for employment, in accordance with relevant laws, regulations and ethics and should be proportional to the perceived risks and so screening for a role that requires access to a higher classification of information asset should be more stringent than for a role accessing lower levels of information.

Making the right hiring decisions should not be left to chance. It is vital to ensure that the individual has the integrity, skills and experience necessary for you to place your company’s trust, data and technology in their hands. Screening is essential, particularly for maintaining compliance in sensitive industries like healthcare or finance and the screening process you conduct is likely to be driven by the role, for example:  

Developer

✔ ID check

✔ Proof of address

✔ Right to work

✔ Employment history

✔ References

✔ Basic criminal record check

✔ Qualifications

Chief technology officer

✔ ID check

✔ Proof of address

✔ Right to work

✔ Employment history

✔ References

✔ Basic criminal record check

✔ Qualifications

✔ Sanctions check

✔ Credit check

✔ Directorship check

✔ Social media check

A.7.1.2 Terms & Conditions of Employment

Annex 7.1.2 or Control A.7.1.2 requires contractual agreements with employees and contractors to state the individual and company’s responsibility for information security.  It ensures that everyone understands their obligations and responsibilities with respect to your ISMS even before they start with your company.

What is the objective of Annex A.7.2?

Annex A.7.2 ’During employment’ requires the company to make sure that employees and contractors are aware of and fulfill their information security responsibilities.

A.7.2 forms part of the information security management system (ISMS) and is an integral step to achieve ISO 27001 certification. It contains the two controls listed below.

A.7.2.1 Management Responsibilities

Annex 7.2.1 or Control A.7.2.1 requires management to ensure all employees and contractors apply information security in accordance with the established policies and procedures of the organisation.

Management responsibilities include ensuring that employees and contractors:

1. Are aware of their information security roles and responsibilities – The Adoptech Roles and Responsibilities Policy outlines the process for allocating these responsibilities
2. Achieve a level of information security awareness – a training plan must be maintained and executed that is aligned with the roles and responsibilities the individual undertakes.
3. Are provided with an anonymous reporting channel to report violations of information security policies or procedures – this is outlined within the Adoptech Information Security Enforcement Policy.
4. Management must sign-off information security policies and ensure the respective controls are maintained – the Adoptech platform provides a management approval and staff attestation workflow for all policies.

A.7.2.2 Information Security Awareness, Education and Training

Annex 7.2.2 or Control A.7.2.2 outlines that all employees and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organisational policies and procedures, as relevant for their job function.

An information security awareness programme should be provided to all relevant staff In line with the company’s information security policies. The programme should be documented and reviewed on a regular basis to ensure its objectives are being met. 

The Adoptech platform enables all staff in scope of information security policies to read and attest that they have understood each policy on an appropriately regular basis. ISO clients are also provided with support on creating training plans that are effective and cost efficient

A.7.2.3 Disciplinary Process

Annex 7.2.3 or Control A.7.2.3 stipulates that there should be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach. The consequences of such a breach should be made clear to all staff.  

The formal disciplinary process should ensure correct and fair treatment for employees who are suspected of committing breaches of information security. The Adoptech Information Security Enforcement Policy outlines the disciplinary action to be taken in the event that a member of staff has violated the Information Security Enforcement Policy.

What is the objective of Annex A.7.3?

Annex A.7.3 ’Termination and change of employment’ is about protecting the company and its information if someone changes role or leaves the company.

A.7.3.1 Termination or change of employment responsibilities

Annex 7.3.1 or Control A.7.3.1 aims to ensure that everyone understands their responsibilities with regards to ongoing information security after a member of staff has left the company or changed role including, where appropriate, responsibilities contained within any confidentiality agreement and the terms and conditions of employment continuing for a defined period after the end of the employment.