ISO 27001 Screening – Annex A 6.1

ISO 27002:2022 Clause 6.1 Screening

What is ISO 27001:2022 Annex A 6.1 Screening?

ISO 27001:2022 Annex A 6.1 Screening is an ISO 27002:2022 control that wants you to do background checks on people before, and during, employment. It understands that it has to be in line with the law, ethics and regulation and nods to the fact that it based on what people do and access.

What is the purpose of ISO 27001:2022 Annex A 6.1 Screening?

The purpose of ISO 27001:2022 Annex A 6.1 Screening is to ensure we have checked people to an appropriate level before they get access to our data and information. It is proportionate to risk and done in the framework of applicable laws but the purpose is to reduce risk by making sure that people are who they say they are, can do the things they say they can do and don’t have any indicators they will do something bad.

What is the definition of ISO 27001:2022 Annex A 6.1 Screening?

The ISO 27001:2022 standard defines ISO 27001:2022 Annex A 6.1 Screening as:

Background verification checks on all candidates to become personnel should be carried out prior to joining the organisation and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. 

ISO 27001:2022 Annex A 6.1

Implementation Guide

The headline guidance is to checks on everyone, be they full time, part time, temporary.

What to check

The level of checks is going to be proportionate to need and risk but to consider

• References
• Verify the CV
• Confirm qualifications
• Verify Identity
• Where appropriate, criminal or finance checks.

Where to get more guidance

You can get more guidance in the beginner’s guide to ISO 27001 background checks.

Information Security Roles

For people in information security roles you will make sure people are competent to do the job and can be trusted. This seems to push the industry certifications agenda and I am unsure how you can measure trust but be aware of it.

Follow the law

Speak to your legal team or legal counsel to guide and agree with you what can and cannot be done. That always takes precedence.

You can’t do the checks in time

If you cannot do the checks in time the standard has some pretty harsh guidance. I am not sure I agree in total but their approach is around delaying them joining, not giving them company stuff, allowing them only limited access or even sacking them. There is a limit to how practical this is so use judgement and have something in place for when you don’t get the results of checks back in time.

Do it and do it again

Now there has to be a mechanism for repeating the checks periodically. You define periodically. Just document how often you do it but do it proportionate to your needs and your risks.

ISO 27001 Templates that can help

Having an ISO 27001 template for control 6.1 can help fast track your implementation. The ISO 27001 Document Toolkit is a the ultimate resource for your ISO 27001 implementation.

What are the Benefits of ISO 27001 6.1 Screening?

Other than your ISO 27001 certification requiring it, the following are the top 5 benefits of ISO 27001:2022 Annex A 6.1 Screening: 

1. You cannot get ISO 27001 certification without it.
2. Improved security: You will have an effective information security implementation that is based on people who have been checked for competence, ability and cleared for criminal activity
3. Reduced risk: You will reduce the information security risks by checking people before they join and whilst they work for you for indicators that they might do something bad or say they are something they are not
4. Improved compliance: Standards and regulations require you to have screening in place
5. Reputation Protection: In the event of a breach having a documented screening procedure in place will reduce the potential for fines and reduce the PR impact of an event

Why is ISO 27001 Annex A 6.1 Screening important?

The main reason it is important is because it helps organisation’s to protect their information assets by ensuring that only authorised individuals have access to them. This is done by conducting background checks on employees and other individuals who may have access to sensitive information. The checks can include things like criminal history checks, credit checks, and educational verification. By screening individuals, organisations can help to reduce the risk of unauthorised access to their information assets, which can lead to data breaches, financial losses, and reputational damage.

Matrix of ISO 27001:2022 Controls and ISO 27001:2022 Attribute values

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
#Preventive	#Availability #Confidentiality #Integrity	#Protect	#Human_resource_security	#Governance_and_ecosystem

Reference

ISO/IEC 27001 Information Security Management