Implementing ISO 27001 Annex A 6.1 is a foundational personnel security mandate requiring risk-based background verification for all candidates and contractors prior to employment. This control ensures workforce integrity by validating identity, academic credentials, and criminal history, providing the business benefit of reduced insider threat and assured regulatory compliance.
ISO 27001 Annex A Screening Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 6.1. This control mandates that background verification checks on all candidates for employment, contractors, and temporary staff are carried out in accordance with relevant laws, regulations, and ethics, proportional to the business requirements, the classification of the information to be accessed, and the perceived risks.
1. Define Risk-Based Screening Tiers
Control Requirement: Apply screening checks that are proportional to the risk and classification of information the role will access. Required Implementation Step: Create a tiered ‘Screening Matrix’ in your HR procedure. Define ‘Tier 1’ (Standard Staff) for basic checks and ‘Tier 2’ (Privileged Users/Admins/Finance) for enhanced vetting. Do not apply a blanket approach; a receptionist does not need the same vetting as a Database Administrator with root access.
Minimum Requirement: A documented matrix linking Job Roles to specific Screening Levels (e.g., BPSS, BS 7858).
2. Verify Identity at Source
Control Requirement: Confirm the candidate is who they claim to be. Required Implementation Step: Physically inspect or use government-certified digital identity service providers (IDSPs) to validate passports or driving licences. Do not accept scanned email attachments or photocopies without verifying the original document, as these are easily forged.
Minimum Requirement: Verified copies of government-issued photo ID stored securely (and separately) for every joiner.
3. Validate Academic and Professional Qualifications
Control Requirement: Ensure claimed competencies are genuine. Required Implementation Step: Contact the issuing university or certification body directly (or use a vetting agency) to confirm degrees and certifications. A LinkedIn profile or a PDF certificate provided by the candidate is not evidence; it is hearsay. Adobe Photoshop is widely used to fake CISSP and degree certificates.
Minimum Requirement: Direct confirmation from the awarding body for the highest qualification claimed.
4. Scrutinise Employment History and Gaps
Control Requirement: Verify the candidate’s honesty regarding their past experience. Required Implementation Step: Request references from HR departments of previous employers, not personal mobile numbers provided by the candidate. Specifically investigate employment gaps longer than 3 months. Require tax documentation (e.g., P45/P60 in the UK) if a reference cannot be obtained to prove tenure.
Minimum Requirement: Validated references covering the last 3-5 years with written explanations for any gaps.
5. Conduct Criminal Record Checks
Control Requirement: Identify potential risks related to criminal behaviour, where legally permissible. Required Implementation Step: For UK-based roles, conduct a Basic DBS check as a standard. For high-trust roles (finance, healthcare, children), conduct Standard or Enhanced DBS checks. Ensure your policy explicitly states that offers are “subject to satisfactory clearance” and define what constitutes a “fail” (e.g., fraud convictions vs. driving offences).
Minimum Requirement: A valid DBS certificate (or local equivalent) issued within the last 3 months for all eligible staff.
6. Perform Financial Integrity Checks
Control Requirement: Assess financial stress or history of fraud for sensitive roles. Required Implementation Step: Run credit checks for any role with access to company bank accounts, payroll, or significant financial data. Look for CCJs (County Court Judgments) or bankruptcies that might make an employee vulnerable to bribery or coercion.
Minimum Requirement: Credit screening reports for all Finance, Procurement, and Senior Management roles.
7. Enforce Screening for Contractors and Third Parties
Control Requirement: Apply the same rigour to temporary access holders. Required Implementation Step: Amend your supplier contracts to legally mandate that the vendor performs equivalent screening (e.g., BS 7858) on their staff before they are granted access to your systems. Demand the right to audit their screening records. Do not assume the agency has checked them.
Minimum Requirement: Signed clauses in Service Agreements guaranteeing vendor staff screening compliance.
8. Validate Right to Work
Control Requirement: Ensure compliance with immigration and employment law. Required Implementation Step: Obtain and validate proof of the legal right to work in the jurisdiction (e.g., Share Code in the UK). Failure to do this exposes the organisation to blackmail and legal penalties, which is a direct information security risk.
Minimum Requirement: Statutory excuses (right to work proofs) retained on file for all employees.
9. Secure the Screening Data (GDPR Compliance)
Control Requirement: Protect the sensitive PII generated during the screening process. Required Implementation Step: Store screening reports in a highly restricted partition of your HR system. Do not circulate DBS results via email. Ensure criminal record data is disposed of after the verification decision is made, in line with Data Protection Act restrictions (do not hoard DBS certificates indefinitely).
Minimum Requirement: Access logs showing only authorised HR personnel can view screening outcomes.
10. Implement Re-Screening for Role Changes
Control Requirement: Re-evaluate risk when an employee’s access level changes. Required Implementation Step: Build a “Trigger” into your internal promotion process. If a Junior Dev (Tier 1) is promoted to DevOps Lead (Tier 2) with root access, a new, deeper level of screening must be initiated. Initial screening does not cover future risks.
Minimum Requirement: A policy clause requiring updated checks upon promotion to senior or sensitive positions.
ISO 27001 Annex A 6.1 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| CV Verification | Uploading the candidate’s CV to the GRC portal as “Evidence”. | A CV is a marketing brochure, not a fact sheet. If you haven’t validated the claims with the source, you have verified nothing. |
| Identity Checks | Accepting a scan of a passport sent via unsecured email. | Scans are easily forged. Without seeing the physical document or using a cryptographic ID check, you don’t know who you hired. |
| Contractors | Ticking “N/A” because they aren’t on the payroll. | Contractors often have higher privileges than staff. If your agency didn’t screen them, you just gave root access to a stranger. |
| Reference Checks | Automated emails to personal Gmail addresses provided by the candidate. | The candidate likely listed their friend as the “Manager”. You must verify the referee is corporate (e.g., calls to the switchboard). |
| Criminal Checks | Trusting a 2-year-old DBS certificate the candidate brought with them. | Criminal records change. A certificate is only valid on the day it is printed. You must run a new one. |
| Re-Screening | Screening once at hire and never again. | People’s circumstances change (debts, convictions). A clean record in 2015 doesn’t guarantee integrity in 2025. |
| Data Security | Leaving background check PDFs in a shared SharePoint folder. | This is a massive GDPR breach. Sensitive screening data must be locked down, not accessible to the whole HR team. |
About the author
