ISO 27001:2022 Annex A 6.1 Screening

/ By
ISO 27001 Annex A 6.1 Screening

In this guide, I will show you exactly how to implement ISO 27001 Annex A 6.1 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 6.1 Screening

ISO 27001 Annex A 6.1 requires organizations to conduct background verification checks on all candidates prior to joining and on an ongoing basis. This control ensures that everyone, from full-time employees to temporary contractors, is trustworthy and qualified for their role. Screening must be proportionate to the risk, the classification of the information they will access, and applicable local laws.

Core requirements for compliance include:

  • Risk-Based Proportionate Screening: Not everyone needs the same level of checking. A receptionist may only need an identity check, while a Database Administrator or Finance Director will likely require criminal and credit checks.
  • Pre-Employment Verification: Checks must be completed before the individual is granted access to live systems or sensitive data.
  • Ongoing Monitoring: Screening is not a “one-off” event. High-risk roles (like IT Admins or Executives) should have their checks repeated periodically.
  • Third-Party Alignment: If you use contractors or outsourced services, you must ensure your suppliers are conducting screening to the same standard as your internal team.
  • Legal & Ethical Compliance: All screening must adhere to local employment laws and data privacy regulations (e.g., GDPR). You must obtain explicit consent from the individual before conducting background checks.

Audit Focus: Auditors will look for “The HR Gap”:

  1. The Onboarding Process: “Show me the record for the last person you hired. Were their references and ID verified before their start date?”
  2. Handling Failures: “What is your process if a background check comes back with a ‘fail’ result? Who makes the final decision?”
  3. Third-Party Evidence: They will often ask to see redacted screening results for a random sample of both permanent staff and contractors.

Screening Level Matrix (Audit Cheat Sheet):

Role Seniority Mandatory Verification Checks Security Justification ISO 27001:2022 Mapping
Intern / Contractor Identity (Photo ID) + Right to Work + 1 Character Reference. Verifies legal identity and establishes a baseline for personnel reliability. 5.7 (Screening)
Standard Employee Identity + Right to Work + 2 Professional Refs + CV/Education Audit. Confirms professional history and ensures qualifications match the job description. 5.7 (Screening)
IT Admin / Finance Standard Checks + Criminal Record (DBS) Verification. Mitigates high-level risks involving insider fraud, sabotage, or privileged access abuse. 5.7 & 5.18 (Access Rights)
Director / C-Level Enhanced DBS + Financial Credit & Directorship Conflict Checks. Identifies potential financial vulnerabilities and conflicts of interest at the executive level. 5.7 & 5.1 (Management Direction)

Table of contents

What is ISO 27001 Annex A 6.1?

ISO 27001 Annex A 6.1 is about screening which means you must do a background check on people before they gain access to systems and information.

ISO 27001 Annex A 6.1 Employee Screening is an ISO 27001 control that wants you to do background checks on people before, and during, employment.

It understands that it has to be in line with the law, ethics and regulation and nods to the fact that it is based on what people do and what they can access.

ISO 27001 Annex A 6.1 Purpose

The purpose of ISO 27001 screening is to ensure we have checked people to an appropriate level before they get access to our data and information. It is proportionate to risk and done in the framework of applicable laws but the purpose is to reduce risk by making sure that people are who they say they are, can do the things they say they can do and don’t have any indicators they will do something bad.

ISO 27001 Annex A 6.1 Definition

ISO 27001 defines ISO 27001 Screening as:

Background verification checks on all candidates to become personnel should be carried out prior to joining the organisation and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. 

ISO27001:2022 Annex A 6.1 Employee Screening

Watch the ISO 27001 Annex A 6.1 Tutorial

In the video ISO 27001 Screening Explained – ISO27001:2022 Annex A 6.1 I show you how to implement it and how to pass the audit.

ISO 27001 Annex A 6.1 Explainer Video

In this beginner’s guide to ISO 27001 Annex A 6.1 Screening, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.

ISO 27001 Annex A 6.1 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 6.1 Screening. The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex A 6.1 Implementation Guidance

Who should be screened?

The headline guidance is to perform background checks on everyone which includes people that are:

  • full time
  • part time
  • temporary
  • or third party supplier resources.

Background checks and the law

Speak to your legal team or legal counsel to guide and agree with you what can and cannot be done. That always takes precedence.

Given that background checks typically involve the collection, processing, and transfer of personally identifiable information and protected characteristics (as defined by UK law), organisations must adhere rigorously to all applicable employment laws in every jurisdiction where they operate.

ISO 27001 Background Check Requirements

The level of background checks is going to be proportionate to need and risk but to consider the common requirements:

  • References
  • Verify the CV
  • Confirm qualifications
  • Verify Identity
  • Where appropriate, criminal or finance checks.

Enhanced Vetting

The level of checks is going to be proportionate to the role and the risk posed. Not everyone will go through a full and rigorous check but there are roles that are inherently risky and require additional checks to be put in place. Common examples of roles requiring enhanced vetting include:

  • Admins
  • Power users
  • Directors
  • Those with financial authority
  • Those with legal authority
  • Those processing highly confidential or protected characteristic data

Information Security Roles

For people in information security roles you will make sure people are competent to do the job and can be trusted. This seems to push the industry certifications agenda and I am unsure how you can measure trust but be aware of it.

What if you can’t do the checks in time

If you cannot do the checks in time the standard has some pretty harsh guidance. I am not sure I agree in total but their approach is around delaying them joining, not giving them company stuff, allowing them only limited access or even sacking them. There is a limit to how practical this is so use judgement and have something in place for when you don’t get the results of checks back in time.

Do it and do it again

Now there has to be a mechanism for repeating the checks periodically. You define periodically. Just document how often you do it but do it proportionate to your needs and your risks.

Screening Process

Screening procedures must clearly identify responsible personnel and the purpose of the screening process.

Where to get more guidance

You can get more guidance in the beginner’s guide to ISO 27001 background checks.

How to implement ISO 27001 Annex A 6.1

Implementing ISO 27001 Annex A 6.1 (Control 5.7 in the 2022 update) requires a risk-based approach to personnel security. By formalising the vetting process before granting access to sensitive assets, organisations can significantly reduce the risk of insider threats and demonstrate due diligence to certification auditors.

1. Formalise the Personnel Screening Policy

Establish a documented policy that defines the scope, depth, and legal requirements for background verification checks across different job roles.

  • Categorise job roles based on the level of risk and access to sensitive information, such as IAM roles with administrative privileges.
  • Define the mandatory verification requirements for each tier, including identity, employment history, and professional qualifications.
  • Ensure the policy adheres to local data protection laws, such as UK GDPR and the Data Protection Act 2018.

2. Provision Verification for Identity and Right to Work

Execute mandatory identity checks to confirm the candidate is who they claim to be and possesses the legal right to work in the relevant jurisdiction.

  • Verify government-issued photo identification, such as a passport or biometric residence permit.
  • Perform official Right to Work checks via the Home Office or relevant local authority portals.
  • Document the verification date and results within the personnel file as primary audit evidence.

3. Validate Employment History and Professional Credentials

Confirm the accuracy of the candidate’s professional background and educational attainments through independent verification.

  • Obtain written references from previous employers covering a minimum period of 3 to 5 years.
  • Verify academic degrees and professional certifications directly with the issuing institutions or professional bodies.
  • Cross-reference the candidate’s CV against verified data to identify any gaps or inconsistencies in employment.

4. Execute Risk Based Criminal and Financial Checks

Perform additional vetting for high-risk roles that involve handling sensitive financial data or managing critical infrastructure.

  • Request Basic or Enhanced DBS (Disclosure and Barring Service) checks for personnel with significant security responsibilities.
  • Conduct credit checks for roles in Finance, Payroll, or senior leadership to identify potential financial vulnerabilities.
  • Update the Register of Entrants (ROE) to reflect the completion of these specialised checks before provisioning system access.

5. Formalise Agreements with Third Party Screening Providers

Ensure that external agencies used for vetting comply with the organisation’s security standards and legal obligations.

  • Review the service level agreements (SLAs) of third-party screening providers to ensure their vetting depth matches your ISMS requirements.
  • Establish a secure process for the transfer and storage of sensitive candidate data to prevent unauthorised disclosure.
  • Periodically audit the screening provider to verify that checks are being performed consistently and accurately.

6. Document the Decision and Trigger Onboarding

Consolidate all screening evidence into a final decision-making process before the candidate is authorised to access corporate assets.

  • Archive all screening reports, reference letters, and identity copies in a secure document management system.
  • Trigger the provisioning of IAM roles and MFA only after the HR department confirms that all vetting requirements have been met.
  • Maintain a clear audit trail showing that screening was completed prior to the commencement of employment.

Screening Level Matrix Example

Role LevelBasic CheckStandard CheckEnhanced Check
Intern / ContractorID + Right to Work.1 Reference.N/A
Standard EmployeeID + Right to Work.2 References + CV Check.N/A
IT Admin / FinanceID + Right to Work.2 Refs + CV Check.Criminal (DBS) Check.
Director / C-LevelID + Right to Work.2 Refs + CV Check.Credit Check + Directorship Check.

ISO 27001 Annex A 6.1 Implementation Checklist

Screening ISO 27001 Annex A 6.1 Implementation Checklist:

1. Establish a Screening Policy

Challenges

  • Defining a clear and consistent policy that aligns with legal and regulatory requirements can be challenging.
  • Ensuring the policy is communicated effectively to all relevant stakeholders (e.g., HR, hiring managers, candidates) can be difficult.

Solutions

  • Involve legal and HR departments in the policy development process.
  • Conduct a thorough risk assessment to determine the appropriate level of screening for different roles.
  • Clearly document the ISO 27001 screening policy and make it readily available to all stakeholders.
  • Provide training to HR and hiring managers on the screening policy and procedures.

2. Determine Screening Procedures

Challenges

  • Selecting the most appropriate screening methods (e.g., background checks, reference checks, drug tests) can be complex.
  • Ensuring that screening procedures are fair, equitable, and compliant with relevant laws and regulations is crucial.

Solutions

  • Conduct research and consult with legal and HR experts to identify appropriate screening methods.
  • Develop clear and documented procedures for each screening method.
  • Obtain necessary consents from candidates before conducting any screening activities.
  • Regularly review and update screening procedures to reflect changes in legal and regulatory requirements.

3. Conduct Thorough Background Checks

Challenges

  • Obtaining accurate and reliable information from third-party providers can be challenging.
  • Ensuring that background checks are conducted in a timely and efficient manner can be difficult.
  • Maintaining the confidentiality of sensitive information throughout the screening process is crucial.

Solutions

  • Utilise reputable and reliable background check providers.
  • Establish clear timelines and service level agreements with background check providers.
  • Implement robust data security measures to protect sensitive information.
  • Conduct regular audits of background check providers to ensure compliance and accuracy.

4. Verify References and Credentials

Challenges

  • Contacting and obtaining information from references can be time-consuming.
  • Verifying the authenticity of educational and professional credentials can be complex.

Solutions

  • Develop a standardised reference check form to ensure consistency.
  • Utilise automated tools to streamline the reference check process.
  • Verify credentials with official sources (e.g., educational institutions, professional licensing boards).
  • Establish clear guidelines for handling discrepancies or inconsistencies.

5. Document and Maintain Records

Challenges

  • Maintaining accurate and up-to-date screening records can be time-consuming and resource-intensive.
  • Ensuring that screening records are stored securely and confidentially is crucial.

Solutions:

  • Utilise an applicant tracking system (ATS) or other electronic system to store and manage screening records.
  • Implement access controls to restrict access to sensitive information.
  • Establish data retention policies and procedures for the secure destruction of outdated records.

6. Conduct Ongoing Monitoring and Review

Challenges

  • Identifying and addressing any issues or concerns with the screening process can be challenging.
  • Ensuring compliance with evolving legal and regulatory requirements is crucial.

Solutions

  • Regularly review and analyse screening data to identify trends and areas for improvement.
  • Conduct periodic audits to ensure compliance with internal policies and external regulations.
  • Stay informed about changes in relevant laws and regulations and update screening procedures accordingly.

ISO 27001 Annex A 6.1 Audit Checklist

How to audit ISO 27001 Annex A 6.1 Screening

1. Is there a HR Screening Policy

  • Does the policy aligns with legal and regulatory requirements
  • Is the policy communicated, available to all and evidenced as being accepted.
  • Were legal and HR involved in the creation of the policy.

2. Are Screening Procedures Documented

  • Review the documented process of screening and walkthrough the process to ensure that it is being implemented as documented.

3. Assess Background Check Providers

  • Is there a third party supplier of background checks and screening.
  • Check the contract with the supplier to ensure it is in date, covers services provided and that it contains information security clauses.
  • Review industry certificates for information security for completeness.
  • Check service level agreements with the supplier.
  • Assess the information transfer solution with the supplier.
  • Seek evidence of independent supplier review.

4. Audit Checks on References and Credentials

  • Is the authenticity of educational and professional credentials conducted prior to employment.
  • Is the reference check process standardised and in line with all laws and regulations.
  • Are copies of checks made retained and if so for how long.
  • Review the exception process for when checks fail or cannot be completed.

5. Review Documents and Records

  • Review documents and screening records to check they are accurate and up-to-date.
  • Audit the storage of records to ensure that it is secure and confidential, reviewing access rights and technical security controls.
  • Check data retention policies and procedures for the secure destruction of outdated records.

6. Assess Ongoing Monitoring and Review

  • Ensure that a regular review of compliance with evolving legal and regulatory requirements is conducted.
  • Confirm internal audits have been conducted.

How to pass the audit of ISO 27001 Annex A 6.1

To pass an audit of ISO 27001 screening you are going to make sure that

  • You have screened everyone that works in your organisation
  • Screening is proportionate and appropriate to role
  • You have documented evidence of all checks carried out
  • Checks comply with all laws and regulations

What the auditor will check

1. Employee Screening in HR Processes

  • The audit will focus on the integration of employee screening within your HR processes.
  • Auditors will verify the existence of a documented onboarding process that explicitly includes employee screening procedures.
  • They will likely request evidence of completed screenings for recently onboarded employees.
  • If the information is confidential, providing redacted versions of screening results is usually acceptable.

2. Handling Screening Failures

  • Auditors will assess your organisation’s response to failed background checks or screenings.
  • It’s a common oversight to assume all screenings will be successful.
  • A defined procedure for handling failed screenings, even if it involves escalation to the CEO or senior leadership, is crucial.

Top 3 ISO 27001 Annex A 6.1 mistakes and how to avoid them

1. Employing Friends, Family, or Acquaintances

While employing friends, family, or acquaintances is not inherently wrong, neglecting thorough background checks and screenings is a significant mistake.

Familiarity can lead to a false sense of security, tempting organisations to overlook necessary checks.

Even for these individuals, basic checks like right-to-work verification are essential, and all legal requirements must be strictly adhered to.

2. Lack of Documentation

ISO 27001 emphasises the importance of well-documented processes.

Relying solely on verbal instructions or informal procedures increases the risk of inconsistencies, errors, and non-compliance.

While HR professionals are valuable resources, ensure all personnel-related processes are formally documented.

3. Inadequate Document and Version Control

Maintaining accurate and up-to-date document versions is crucial for an effective ISO 27001 implementation.

Key aspects of good document control include:

  • Consistent version numbering across all references.
  • Regular reviews (at least annually) with documented evidence.
  • Minimising or eliminating comments within official documents.

Applicability of ISO 27001 Annex A 6.1 across different business models.

Business Type Applicability Examples of Control Implementation
Small Businesses Highly applicable for ensuring that the few employees or contractors hired are trustworthy. The focus is on verifying legal identity and professional reliability to prevent basic insider threats.
  • Verifying government-issued photo ID and “Right to Work” documents for all new hires before their first day.
  • Obtaining at least two professional references to confirm the candidate’s work history and conduct.
  • Performing a basic criminal record check (DBS) for any staff member handling company finances or sensitive customer data.
Tech Startups Critical for protecting proprietary source code and high-privilege system access. Compliance involves tiered screening based on the level of technical access granted to developers and administrators.
  • Mandating Enhanced DBS checks for all DevOps and System Administrators with “root” access to production environments.
  • Conducting an education and qualification audit to ensure technical staff possess the certifications they claim on their CV.
  • Requiring third-party contractors or freelancers to provide proof of their own background checks before being granted access to internal repos.
AI Companies Vital for protecting unique model IP and sensitive training data. Focus is on identifying potential conflicts of interest or financial vulnerabilities at the executive and research levels.
  • Performing comprehensive financial credit and directorship conflict checks for all C-level executives and senior AI researchers.
  • Implementing ongoing screening for high-risk roles, with re-verification of professional credentials every 2–3 years.
  • Ensuring that research partners or academic collaborators undergo the same level of identity and reference verification as permanent staff.

Fast Track ISO 27001 Annex A 6.1 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 6.1 (Screening), the requirement is to perform background verification checks on all candidates before they join and on an ongoing basis. This is a critical human resources control designed to ensure that the people you hire are trustworthy and competent.

Compliance Factor SaaS Compliance Platforms High Table ISO 27001 Toolkit Audit Evidence Example
Policy Ownership Rents access to your HR standards; if you cancel the subscription, your documented screening levels and candidate logs vanish. Permanent Assets: Fully editable Word/Excel HR Screening Policies and Level Matrices that you own forever. A localized “HR Screening Policy” defining mandatory check types (Criminal, Financial, ID) per role.
Operational Simplicity Mandates rigid integrations with specific partners that often duplicate your existing HR software or spreadsheet tracking. Governance-First: Formalizes your existing hiring workflows and third-party checks into an auditor-ready framework. A completed “Screening Level Matrix” proving that high-privilege roles undergo more rigorous vetting.
Cost Efficiency Charges a “Per-Hire Tax” or integration fees that scale costs aggressively as your headcount grows. One-Off Fee: A single payment covers your screening governance for 5 hires a year or 500. Allocating budget to high-quality background check providers rather than monthly software “platform” fees.
Vendor Freedom Forces you into specific “connected” background check vendors, limiting your choice in global markets or local jurisdictions. 100% Agnostic: Procedures adapt to any local or international provider—keeping your HR strategy flexible. The ability to switch background check partners or use internal reference methods without reconfiguring a rigid SaaS module.

Summary: For Annex A 6.1, the auditor wants to see that you have a formal policy for screening and proof that you follow it (e.g., a matrix of check levels and candidate records). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

ISO 27001 Annex A 6.1 FAQ

What is ISO 27001 Annex A 6.1?

ISO 27001 Annex A 6.1 (updated as Control 5.7 in the 2022 standard) is a security control that mandates organisations to perform background verification checks on all candidates for employment prior to joining.

  • It ensures that employees and contractors are suitable for their intended roles.
  • It requires a risk-based approach to determine the depth of the screening.
  • It applies to all permanent staff, temporary workers, and third-party contractors.
  • It forms a critical part of the Information Security Management System (ISMS) “People” controls.

Is background screening mandatory for ISO 27001?

Yes, pre-employment screening is a mandatory requirement for ISO 27001:2022 certification to mitigate the risk of insider threats and unauthorised data access.

  • Certification auditors require evidence that screening was completed before system access was granted.
  • Failure to document screening procedures for all staff is a common cause of audit non-conformities.
  • The process must be formalised within your internal HR and Security policies.

What should be included in an ISO 27001 background check?

A standard ISO 27001 compliant background check must include identity verification, confirmation of academic/professional credentials, and a review of employment history.

  • Verification of a government-issued photo ID (e.g., Passport or Driving Licence).
  • Independent references, typically covering the previous 3 to 5 years of employment.
  • Confirmation of professional certifications or degrees relevant to the job description.
  • Verification of the individual’s “Right to Work” in the relevant jurisdiction.

Does ISO 27001 require a criminal record check (DBS)?

ISO 27001 does not explicitly mandate a criminal record check for every role, but it requires you to perform one if the role involves access to highly sensitive data.

  • Basic or Enhanced DBS checks are recommended for roles with administrative privileges.
  • Mandatory if required by local laws or specific industry regulations (e.g., Fintech or Healthcare).
  • Must be conducted in strict compliance with GDPR and relevant data privacy laws.

Do third-party contractors and freelancers need to be screened?

Yes, any third-party contractor or temporary worker with access to your organisation’s information assets must undergo screening equivalent to your permanent staff.

  • Responsibility for screening can be delegated to an agency, but you must verify their vetting process.
  • Evidence of the screening must be available for audit inspection.
  • Contractual agreements should explicitly state the screening standards required for external personnel.

How often should personnel screening be reviewed?

While ISO 27001 focuses on pre-employment, screening should be reviewed if an employee moves to a higher-security role or if the risk landscape changes significantly.

  • Triggered by internal promotions or transfers to departments handling sensitive financial data.
  • Periodic re-verification of professional certifications that have an expiry date.
  • Continuous monitoring is expected for high-clearance administrative roles.

Is a credit check required for ISO 27001 screening?

A credit check is not a default requirement but should be performed for personnel in finance, payroll, or roles with significant procurement authority.

  • Helps mitigate the risk of financial desperation as a motive for data theft or bribery.
  • Should be justified by a formal risk assessment for the specific job role.
  • Commonly used for executive leadership and senior management positions.

ISO 27001 Annex A 7.7 Clear Desk And Clear Screen

ISO 27001 Annex A 5.37 Documented Operating Procedures

Further Reading

The complete guide to ISO/IEC 27002:2022

ISO 27001 Clear Desk Policy Beginner’s Guide

ISO 27001 Annex A 6.1 Attributes Table

Control typeInformation
security properties		Cybersecurity
concepts		Operational
capabilities		Security domains
PreventiveAvailability
Confidentiality
Integrity		ProtectHuman resource securityGovernance and ecosystem
, , , , , ,
Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor ⚡ 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top