In this ultimate how to audit guide to ISO 27001 Annex A 6.1 Screening, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Personnel Screening Policy Formalisation Verified
- 2. Screening Rigour Proportionality Confirmed
- 3. Government-Issued Identity Verification Records Present
- 4. Academic and Professional Qualification Validation Evidenced
- 5. Legal Right-to-Work Compliance Confirmed
- 6. Criminal Record Check Evidence Identified
- 7. Employment History and Reference Verification Validated
- 8. Ongoing Screening Process Execution Verified
- 9. Contractor and Third-Party Screening Alignment Validated
- 10. Screening Documentation Retention Compliance Verified
1. Personnel Screening Policy Formalisation Verified
Auditing ISO 27001 Annex A 6.1 is the systematic verification of personnel background checks to mitigate insider threats effectively. The Primary Implementation Requirement mandates risk-proportional validation of identities and qualifications, providing the Business Benefit of a trusted workforce and enhanced organizational security integrity.
Verification Criteria: A documented policy exists defining the mandatory background verification requirements for all candidates prior to joining the organisation.
Required Evidence: Approved Recruitment or Information Security Policy containing a dedicated section on “Personnel Screening” and “Background Checks”.
Pass/Fail Test: If the organisation cannot produce a formal policy that specifies the minimum screening requirements for different role types, mark as Non-Compliant.
2. Screening Rigour Proportionality Confirmed
Verification Criteria: The level of screening (e.g. basic vs. enhanced) is explicitly mapped to the business requirements, information classification access, and perceived risks of the specific role.
Required Evidence: Role-based risk assessment matrix or a HR screening tier list (e.g. Tier 1 for standard users, Tier 2 for Privileged Admins).
Pass/Fail Test: If high-privileged administrators undergo the same basic screening as non-technical entry-level staff without additional financial or enhanced background checks, mark as Non-Compliant.
3. Government-Issued Identity Verification Records Present
Verification Criteria: Formal verification of the candidate’s identity is performed using primary government-issued documentation to prevent identity fraud.
Required Evidence: Copies of passports, driving licences, or national ID cards held securely within the HR file (redacted where required by local law).
Pass/Fail Test: If a personnel file is missing a verified copy of a government-issued photo ID or evidence that the ID was sighted and verified against the individual, mark as Non-Compliant.
