Auditing ISO 27001 Annex A 6.1 is the systematic verification of personnel background checks to mitigate insider threats effectively. The Primary Implementation Requirement mandates risk-proportional validation of identities and qualifications, providing the Business Benefit of a trusted workforce and enhanced organizational security integrity.
This technical verification tool is designed for lead auditors to confirm the integrity of the personnel lifecycle through rigorous background validation. Use this checklist to validate compliance with ISO 27001 Annex A 6.1 (Screening) by ensuring that all personnel and contractors undergo verification proportional to their role’s risk and information sensitivity.
1. Personnel Screening Policy Formalisation Verified
Verification Criteria: A documented policy exists defining the mandatory background verification requirements for all candidates prior to joining the organisation.
Required Evidence: Approved Recruitment or Information Security Policy containing a dedicated section on “Personnel Screening” and “Background Checks”.
Pass/Fail Test: If the organisation cannot produce a formal policy that specifies the minimum screening requirements for different role types, mark as Non-Compliant.
2. Screening Rigour Proportionality Confirmed
Verification Criteria: The level of screening (e.g. basic vs. enhanced) is explicitly mapped to the business requirements, information classification access, and perceived risks of the specific role.
Required Evidence: Role-based risk assessment matrix or a HR screening tier list (e.g. Tier 1 for standard users, Tier 2 for Privileged Admins).
Pass/Fail Test: If high-privileged administrators undergo the same basic screening as non-technical entry-level staff without additional financial or enhanced background checks, mark as Non-Compliant.
3. Government-Issued Identity Verification Records Present
Verification Criteria: Formal verification of the candidate’s identity is performed using primary government-issued documentation to prevent identity fraud.
Required Evidence: Copies of passports, driving licences, or national ID cards held securely within the HR file (redacted where required by local law).
Pass/Fail Test: If a personnel file is missing a verified copy of a government-issued photo ID or evidence that the ID was sighted and verified against the individual, mark as Non-Compliant.
4. Academic and Professional Qualification Validation Evidenced
Verification Criteria: The organisation verifies that the candidate possesses the academic degrees and professional certifications claimed during the recruitment process.
Required Evidence: Verification logs from third-party screening providers or direct email confirmations/transcripts from the issuing educational institutions.
Pass/Fail Test: If the organisation relies solely on “Self-Attestation” (the candidate’s CV) for professional certifications (e.g. CISA, CISSP) without secondary verification, mark as Non-Compliant.
5. Legal Right-to-Work Compliance Confirmed
Verification Criteria: A formal check is conducted to ensure the candidate has the legal right to work in the specific jurisdiction where the service is being performed.
Required Evidence: Completed Right-to-Work check forms, visa status verification logs, or Home Office (UK) share code verification receipts.
Pass/Fail Test: If the organisation cannot produce evidence that a non-citizen’s work visa was verified before they were granted access to organisational assets, mark as Non-Compliant.
6. Criminal Record Check Evidence Identified
Verification Criteria: Criminal record checks are performed where permitted by local law and where the risk associated with the role justifies such a check.
Required Evidence: DBS certificates (UK), Disclosure certificates, or third-party background reports confirming the absence of relevant unspent convictions.
Pass/Fail Test: If a role involves handling sensitive financial data or child-related information and no criminal record check was performed, mark as Non-Compliant.
7. Employment History and Reference Verification Validated
Verification Criteria: The organisation validates the candidate’s previous employment history (typically for the last 3-5 years) and obtains character or professional references.
Required Evidence: Written references from previous employers or timestamped logs of verbal reference checks maintained in the HR system.
Pass/Fail Test: If an employee has been hired with gaps in their employment history exceeding six months that haven’t been documented or explained, mark as Non-Compliant.
8. Ongoing Screening Process Execution Verified
Verification Criteria: Screening is not treated as a “one-time” event; high-risk roles are subject to periodic re-screening or trigger-based re-validation.
Required Evidence: Re-screening schedule or logs showing that staff in critical roles (e.g. Finance/IT) undergo re-checks every 3-5 years.
Pass/Fail Test: If an individual has been in a high-privileged role for 10+ years and has never undergone a follow-up background check or credit check, mark as Non-Compliant.
9. Contractor and Third-Party Screening Alignment Validated
Verification Criteria: Agreements with external recruitment agencies or contractors mandate that they perform screening to the organisation’s defined standards.
Required Evidence: Signed Master Service Agreements (MSAs) with “Right to Audit” screening logs or certificates of compliance from the vendor.
Pass/Fail Test: If the organisation uses third-party contractors who have access to the ISMS scope but the contract doesn’t explicitly mandate screening equivalent to internal staff, mark as Non-Compliant.
10. Screening Documentation Retention Compliance Verified
Verification Criteria: Personnel screening records are retained securely and only for as long as legally required or necessary for the security of the organisation.
Required Evidence: HR Data Retention Schedule and evidence of secure disposal of surplus screening data (e.g. shredding certificates for unsuccessful candidates).
Pass/Fail Test: If sensitive background check data for rejected candidates is kept indefinitely in unencrypted folders, mark as Non-Compliant.
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Verification Depth | The tool records that a “Checklist” was completed for the user. | The auditor must verify the source. Was the degree verified by the university or just a scan of a PDF that could be forged? |
| Role Specificity | The platform applies a global “Screened” tag to all users. | Audit the delta between an intern and the CISO. High-risk roles require deeper financial and criminal scrutiny. |
| Third-Party Contractors | The GRC tool only syncs with the internal HR system (e.g. Workday). | Contractors often bypass HR systems. Demand the screening logs from the external agencies providing “temporary” IT staff. |
| Ongoing Screening | Platform assumes a person is safe because they were hired 5 years ago. | Demand evidence of re-screening for personnel who have been promoted into sensitive roles. |
| Reference Authenticity | Tool records that “Two references were provided”. | Check the emails of the referrers. Personal Gmail accounts for professional references are a significant red flag. |
| Right to Work | The tool assumes compliance based on a “Nationality” field. | Verify the expiry dates of visas. A one-time check at hire does not account for a visa expiring 12 months later. |
| Identity Validation | SaaS tool records a photo was uploaded. | Auditors must verify that a manager or HR rep actually met the person (physically or via video) to confirm they match the ID. |
About the author
