ISO 27001 Screening
In this ultimate guide to ISO 27001 Annex A 6.1 Screening you will learn
- What is ISO 27001 Screening
- What are ISO 27001 Background Checks
- An Implementation Guide
- An Implementation Checklist
- An Audit Checklist
I am Stuart Barker, author of the Ultimate ISO 27001 Toolkit.
With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.
Table of contents
- ISO 27001 Screening
- What is ISO 27001 Annex A 6.1?
- Purpose
- Definition
- Ownership
- Implementation Guide
- Implementation Checklist
- Audit Checklist
- Watch the Tutorial
- ISO 27001 Templates
- How to pass the audit
- What the auditor will check
- Top 3 Mistakes People Make
- ISO 27001 Annex A 6.1 FAQ
- ISO 27001 Annex A 6.1 Attributes Table
What is ISO 27001 Annex A 6.1?
ISO 27001 Annex A 6.1 Employee Screening is an ISO 27001 Annex A control that wants you to do background checks on people before, and during, employment.
It understands that it has to be in line with the law, ethics and regulation and nods to the fact that it based on what people do and access.
Purpose
The purpose of ISO 27001 screening is to ensure we have checked people to an appropriate level before they get access to our data and information. It is proportionate to risk and done in the framework of applicable laws but the purpose is to reduce risk by making sure that people are who they say they are, can do the things they say they can do and don’t have any indicators they will do something bad.
Definition
ISO 27001 defines ISO 27001 Annex A 6.1 as:
Background verification checks on all candidates to become personnel should be carried out prior to joining the organisation and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
ISO27001:2022 Annex A 6.1 Employee Screening
Ownership
The Information Security Officer in collaboration with the HR management team is responsible for developing, approving, and implementing appropriate screening procedures.
Implementation Guide
Who should be screened?
The headline guidance is to perform background checks on everyone which includes people that are:
- full time
- part time
- temporary
- or third party supplier resources.
Background checks and the law
Speak to your legal team or legal counsel to guide and agree with you what can and cannot be done. That always takes precedence.
Given that background checks typically involve the collection, processing, and transfer of personally identifiable information and protected characteristics (as defined by UK law), organisations must adhere rigorously to all applicable employment laws in every jurisdiction where they operate.
ISO 27001 Background Check Requirements
The level of background checks is going to be proportionate to need and risk but to consider the common requirements:
- References
- Verify the CV
- Confirm qualifications
- Verify Identity
- Where appropriate, criminal or finance checks.
Enhanced Vetting
The level of checks is going to be proportionate to the role and the risk posed. Not everyone will go through a full and rigorous check but there are roles that are inherently risky and require additional checks to be put in place. Common examples of roles requiring enhanced vetting include:
- Admins
- Power users
- Directors
- Those with financial authority
- Those with legal authority
- Those processing highly confidential or protected characteristic data
Information Security Roles
For people in information security roles you will make sure people are competent to do the job and can be trusted. This seems to push the industry certifications agenda and I am unsure how you can measure trust but be aware of it.
What if you can’t do the checks in time
If you cannot do the checks in time the standard has some pretty harsh guidance. I am not sure I agree in total but their approach is around delaying them joining, not giving them company stuff, allowing them only limited access or even sacking them. There is a limit to how practical this is so use judgement and have something in place for when you don’t get the results of checks back in time.
Do it and do it again
Now there has to be a mechanism for repeating the checks periodically. You define periodically. Just document how often you do it but do it proportionate to your needs and your risks.
Screening Process
Screening procedures must clearly identify responsible personnel and the purpose of the screening process.
Where to get more guidance
You can get more guidance in the beginner’s guide to ISO 27001 background checks.
Implementation Checklist
Screening ISO 27001 Annex A 6.1 Implementation Checklist:
Establish a Screening Policy
Challenges:
- Defining a clear and consistent policy that aligns with legal and regulatory requirements can be challenging.
- Ensuring the policy is communicated effectively to all relevant stakeholders (e.g., HR, hiring managers, candidates) can be difficult.
Solutions:
- Involve legal and HR departments in the policy development process.
- Conduct a thorough risk assessment to determine the appropriate level of screening for different roles.
- Clearly document the ISO 27001 screening policy and make it readily available to all stakeholders.
- Provide training to HR and hiring managers on the screening policy and procedures.
Determine Screening Procedures
Challenges:
- Selecting the most appropriate screening methods (e.g., background checks, reference checks, drug tests) can be complex.
- Ensuring that screening procedures are fair, equitable, and compliant with relevant laws and regulations is crucial.
Solutions:
- Conduct research and consult with legal and HR experts to identify appropriate screening methods.
- Develop clear and documented procedures for each screening method.
- Obtain necessary consents from candidates before conducting any screening activities.
- Regularly review and update screening procedures to reflect changes in legal and regulatory requirements.
Conduct Thorough Background Checks
Challenges:
- Obtaining accurate and reliable information from third-party providers can be challenging.
- Ensuring that background checks are conducted in a timely and efficient manner can be difficult.
- Maintaining the confidentiality of sensitive information throughout the screening process is crucial.
Solutions:
- Utilise reputable and reliable background check providers.
- Establish clear timelines and service level agreements with background check providers.
- Implement robust data security measures to protect sensitive information.
- Conduct regular audits of background check providers to ensure compliance and accuracy.
Verify References and Credentials
Challenges:
- Contacting and obtaining information from references can be time-consuming.
- Verifying the authenticity of educational and professional credentials can be complex.
Solutions:
- Develop a standardised reference check form to ensure consistency.
- Utilise automated tools to streamline the reference check process.
- Verify credentials with official sources (e.g., educational institutions, professional licensing boards).
- Establish clear guidelines for handling discrepancies or inconsistencies.
Document and Maintain Records
Challenges:
- Maintaining accurate and up-to-date screening records can be time-consuming and resource-intensive.
- Ensuring that screening records are stored securely and confidentially is crucial.
Solutions:
- Utilise an applicant tracking system (ATS) or other electronic system to store and manage screening records.
- Implement access controls to restrict access to sensitive information.
- Establish data retention policies and procedures for the secure destruction of outdated records.
Conduct Ongoing Monitoring and Review
Challenges:
- Identifying and addressing any issues or concerns with the screening process can be challenging.
- Ensuring compliance with evolving legal and regulatory requirements is crucial.
Solutions:
- Regularly review and analyse screening data to identify trends and areas for improvement.
- Conduct periodic audits to ensure compliance with internal policies and external regulations.
- Stay informed about changes in relevant laws and regulations and update screening procedures accordingly.
Audit Checklist
Screening ISO 27001 Annex A 6.1 Audit Checklist:
Is there a HR Screening Policy
- Does the policy aligns with legal and regulatory requirements
- Is the policy communicated, available to all and evidenced as being accepted.
- Were legal and HR involved in the creation of the policy.
Are Screening Procedures Documented
- Review the documented process of screening and walkthrough the process to ensure that it is being implemented as documented.
Assess Background Check Providers
- Is there a third party supplier of background checks and screening.
- Check the contract with the supplier to ensure it is in date, covers services provided and that it contains information security clauses.
- Review industry certificates for information security for completeness.
- Check service level agreements with the supplier.
- Assess the information transfer solution with the supplier.
- Seek evidence of independent supplier review.
Audit Checks on References and Credentials
- Is the authenticity of educational and professional credentials conducted prior to employment.
- Is the reference check process standardised and in line with all laws and regulations.
- Are copies of checks made retained and if so for how long.
- Review the exception process for when checks fail or cannot be completed.
Review Documents and Records
- Review documents and screening records to check they are accurate and up-to-date.
- Audit the storage of records to ensure that it is secure and confidential, reviewing access rights and technical security controls.
- Check data retention policies and procedures for the secure destruction of outdated records.
Assess Ongoing Monitoring and Review
- Ensure that a regular review of compliance with evolving legal and regulatory requirements is conducted.
- Confirm internal audits have been conducted.
Watch the Tutorial
Watch the ISO 27001 tutorial on ISO 27001 Employee Screening
ISO 27001 Templates
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
Implementing ISO 27001 can be a significant undertaking and incur significant ISO 27001 Costs. To streamline the process and potentially save valuable time and resources, consider utilising pre-written ISO 27001 templates. This ISO 27001 Toolkit offers a comprehensive set of resources specifically designed for those seeking to achieve ISO 27001 certification independently. With this toolkit, you can potentially build your Information Security Management System (ISMS) within a week and be ready for certification within 30 days
How to pass the audit
To pass an audit of ISO 27001 screening you are going to make sure that
- You have screened everyone that works in your organisation
- Screening is proportionate and appropriate to role
- You have documented evidence of all checks carried out
- Checks comply with all laws and regulations
What the auditor will check
Employee Screening in HR Processes
- The audit will focus on the integration of employee screening within your HR processes.
- Auditors will verify the existence of a documented onboarding process that explicitly includes employee screening procedures.
- They will likely request evidence of completed screenings for recently onboarded employees.
- If the information is confidential, providing redacted versions of screening results is usually acceptable.
Handling Screening Failures:
- Auditors will assess your organisation’s response to failed background checks or screenings.
- It’s a common oversight to assume all screenings will be successful.
- A defined procedure for handling failed screenings, even if it involves escalation to the CEO or senior leadership, is crucial.
Top 3 Mistakes People Make
Employing Friends, Family, or Acquaintances:
- While employing friends, family, or acquaintances is not inherently wrong, neglecting thorough background checks and screenings is a significant mistake.
- Familiarity can lead to a false sense of security, tempting organisations to overlook necessary checks.
- Even for these individuals, basic checks like right-to-work verification are essential, and all legal requirements must be strictly adhered to.
Lack of Documentation:
- ISO 27001 emphasises the importance of well-documented processes.
- Relying solely on verbal instructions or informal procedures increases the risk of inconsistencies, errors, and non-compliance.
- While HR professionals are valuable resources, ensure all personnel-related processes are formally documented.
Inadequate Document and Version Control:
- Maintaining accurate and up-to-date document versions is crucial for an effective ISO 27001 implementation.
- Key aspects of good document control include:
- Consistent version numbering across all references.
- Regular reviews (at least annually) with documented evidence.
- Minimising or eliminating comments within official documents.
ISO 27001 Annex A 6.1 FAQ
The main reason it is important is because it helps organisation’s to protect their information assets by ensuring that only authorised individuals have access to them. This is done by conducting background checks on employees and other individuals who may have access to sensitive information. The checks can include things like criminal history checks, credit checks, and educational verification. By screening individuals, organisations can help to reduce the risk of unauthorised access to their information assets, which can lead to data breaches, financial losses, and reputational damage
Other than your ISO 27001 certification requiring it, the following are the top 5 benefits of ISO 27001 Annex A 6.1 Screening:
You cannot get ISO 27001 certification without it.
Improved security: You will have an effective information security implementation that is based on people who have been checked for competence, ability and cleared for criminal activity
Reduced risk: You will reduce the information security risks by checking people before they join and whilst they work for you for indicators that they might do something bad or say they are something they are not
Improved compliance: Standards and regulations require you to have screening in place
Reputation Protection: In the event of a breach having a documented screening procedure in place will reduce the potential for fines and reduce the PR impact of an event
Yes, if your organisation employees more than 1 person then you need to meet the requirements of this control and conduct background checks to an appropriate level.
There are many different approaches to ISO 27001 screening and the common example of ISO 27001 background checks include:
Verification of Identity
Reference Checks
Verifying the CV
Confirmation of qualifications
Criminal Checks
Finance Checks
You should consult with a HR professional and verify with a legal professional.
ISO 27001 Annex A 6.1 is not hard to implement. This is a standard HR process that is conducted in all organisations.
To implement this should take no more than an hour of your time. HR professionals utilise HR templates and follow standard practices. This should be outsourced to a HR professional.
Yes. You will need the help of a HR professional and a legal professional.
HR is responsible for screening employees. Under the guidance of legal counsel they are best placed to follow best practice and meet the requirements of the law.
ISO 27001 Annex A 6.1 Attributes Table
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| Preventive | Availability Confidentiality Integrity | Protect | Human resource security | Governance and ecosystem |
