In this ultimate how to implement guide to IISO 27001 Annex A 6.1 Screening, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Define Risk-Based Screening Tiers
- 2. Verify Identity at Source
- 3. Validate Academic and Professional Qualifications
- 4. Scrutinise Employment History and Gaps
- 5. Conduct Criminal Record Checks
- 6. Perform Financial Integrity Checks
- 7. Enforce Screening for Contractors and Third Parties
- 8. Validate Right to Work
- 9. Secure the Screening Data (GDPR Compliance)
- 10. Implement Re-Screening for Role Changes
- ISO 27001 Annex A 6.1 SaaS / GRC Platform Implementation Failure Checklist
Implementing ISO 27001 Annex A 6.1 is a foundational personnel security mandate requiring risk-based background verification for all candidates and contractors prior to employment. This control ensures workforce integrity by validating identity, academic credentials, and criminal history, providing the business benefit of reduced insider threat and assured regulatory compliance.
ISO 27001 Annex A Screening Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 6.1. This control mandates that background verification checks on all candidates for employment, contractors, and temporary staff are carried out in accordance with relevant laws, regulations, and ethics, proportional to the business requirements, the classification of the information to be accessed, and the perceived risks.
1. Define Risk-Based Screening Tiers
Control Requirement: Apply screening checks that are proportional to the risk and classification of information the role will access. Required Implementation Step: Create a tiered ‘Screening Matrix’ in your HR procedure. Define ‘Tier 1’ (Standard Staff) for basic checks and ‘Tier 2’ (Privileged Users/Admins/Finance) for enhanced vetting. Do not apply a blanket approach; a receptionist does not need the same vetting as a Database Administrator with root access.
Minimum Requirement: A documented matrix linking Job Roles to specific Screening Levels (e.g., BPSS, BS 7858).
2. Verify Identity at Source
Control Requirement: Confirm the candidate is who they claim to be. Required Implementation Step: Physically inspect or use government-certified digital identity service providers (IDSPs) to validate passports or driving licences. Do not accept scanned email attachments or photocopies without verifying the original document, as these are easily forged.
Minimum Requirement: Verified copies of government-issued photo ID stored securely (and separately) for every joiner.
3. Validate Academic and Professional Qualifications
Control Requirement: Ensure claimed competencies are genuine. Required Implementation Step: Contact the issuing university or certification body directly (or use a vetting agency) to confirm degrees and certifications. A LinkedIn profile or a PDF certificate provided by the candidate is not evidence; it is hearsay. Adobe Photoshop is widely used to fake CISSP and degree certificates.
Minimum Requirement: Direct confirmation from the awarding body for the highest qualification claimed.
