Table of contents
ISO 27001 Screening
In this ultimate guide to ISO 27001 Annex A 6.1 Screening you will learn
- What is ISO 27001 Annex A 6.1
- How to implement ISO 27001 Annex A 6.1
I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.
With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.
What is ISO 27001 Annex A 6.1 Screening?
ISO 27001 Annex A 6.1 Screening is an ISO 27001 control that wants you to do background checks on people before, and during, employment. It understands that it has to be in line with the law, ethics and regulation and nods to the fact that it based on what people do and access.
ISO 27001 Annex A 6.1 Purpose
The purpose of ISO 27001 Annex A 6.1 Screening is to ensure we have checked people to an appropriate level before they get access to our data and information. It is proportionate to risk and done in the framework of applicable laws but the purpose is to reduce risk by making sure that people are who they say they are, can do the things they say they can do and don’t have any indicators they will do something bad.
ISO 27001 Annex A 6.1 Definition
The ISO 27001 standard defines ISO 27001 Annex A 6.1 as:
Background verification checks on all candidates to become personnel should be carried out prior to joining the organisation and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
ISO27001:2022 Annex A 6.1 Screening
DO IT YOURSELF
ISO 27001
ISO 27001 Annex A 6.1 Implementation Guide
The headline guidance is to perform background checks on everyone, be they full time, part time, temporary.
What to check
The level of checks is going to be proportionate to need and risk but to consider
- References
- Verify the CV
- Confirm qualifications
- Verify Identity
- Where appropriate, criminal or finance checks.
Where to get more guidance
You can get more guidance in the beginner’s guide to ISO 27001 background checks.
Information Security Roles
For people in information security roles you will make sure people are competent to do the job and can be trusted. This seems to push the industry certifications agenda and I am unsure how you can measure trust but be aware of it.
Follow the law
Speak to your legal team or legal counsel to guide and agree with you what can and cannot be done. That always takes precedence.
You can’t do the checks in time
If you cannot do the checks in time the standard has some pretty harsh guidance. I am not sure I agree in total but their approach is around delaying them joining, not giving them company stuff, allowing them only limited access or even sacking them. There is a limit to how practical this is so use judgement and have something in place for when you don’t get the results of checks back in time.
Do it and do it again
Now there has to be a mechanism for repeating the checks periodically. You define periodically. Just document how often you do it but do it proportionate to your needs and your risks.
Stop Spanking £10,000s on consultants and ISMS Online tools.
ISO 27001 Templates
Having an ISO 27001 template for control 6.1 can help fast track your implementation. The ISO 27001 Toolkit is a the ultimate resource for your ISO 27001 implementation.
How to pass an audit of ISO27001:2022 Annex A 6.1
To pass an audit of ISO 27001 Annex A 6.1 Screening you are going to make sure that
- You have screened everyone that works in your organisation
- Screening is proportionate and appropriate to role
- You have documented evidence of all checks carried out
- Checks comply with all laws and regulations
What the auditor will check
The audit is going to check a number of areas. Lets go through the main ones
1. That screening is included in your HR Processes
They will check that for a documented onboarding process and that it includes screening. This is a function of HR. They will then seek example of people that have been onboarded and seek evidence of the checks that were carried out. If the information is confidential or sensitive it may be possible to provide them with redacted information.
2. What happens when checks fail
An auditor is going to know what you do if the background checks and screening fail for people. This is often overlooked as we assume that the process will be successful each time but that is not always the case. Even if the process is to refer the case to the CEO or senior leadership you should consider what happens when screening fails.
Top 3 Mistakes People Make
The top 3 Mistakes People Make For ISO 27001 Annex A 6.1 are
1. You employ friends / family / people you know
It is not a mistake to employ or work with people in these categories but it is mistake not to perform background checks and screening on them. Often, as we know these people we think that it is ok not to follow the process and checks but this is definitely a mistake. Even if just basic check or right to work check, checks should be performed and as a minimum you should comply with your legal requirements.
2. Nothing is documented
ISO 27001 is documentation heavy and for maturity of process it expects that those processes are written down. Whilst you must rely on a HR professional when creating documents and process related to people you should ensure that these process are written down and documented.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
ISO 27001 Annex A 6.1 FAQ
Other than your ISO 27001 certification requiring it, the following are the top 5 benefits of ISO 27001 Annex A 6.1 Screening:
You cannot get ISO 27001 certification without it.
Improved security: You will have an effective information security implementation that is based on people who have been checked for competence, ability and cleared for criminal activity
Reduced risk: You will reduce the information security risks by checking people before they join and whilst they work for you for indicators that they might do something bad or say they are something they are not
Improved compliance: Standards and regulations require you to have screening in place
Reputation Protection: In the event of a breach having a documented screening procedure in place will reduce the potential for fines and reduce the PR impact of an event
The main reason it is important is because it helps organisation’s to protect their information assets by ensuring that only authorised individuals have access to them. This is done by conducting background checks on employees and other individuals who may have access to sensitive information. The checks can include things like criminal history checks, credit checks, and educational verification. By screening individuals, organisations can help to reduce the risk of unauthorised access to their information assets, which can lead to data breaches, financial losses, and reputational damage
Yes, if your organisation employees more than 1 person then you need to meet the requirements of this control and conduct background checks to an appropriate level.
There are many different approaches to ISO 27001 screening and the common example of ISO 27001 background checks include:
Verification of Identity
Reference Checks
Verifying the CV
Confirmation of qualifications
Criminal Checks
Finance Checks
You should consult with a HR professional and verify with a legal professional.
ISO 27001 Annex A 6.1 is not hard to implement. This is a standard HR process that is conducted in all organisations.
To implement this should take no more than an hour of your time. HR professionals utilise HR templates and follow standard practices. This should be outsourced to a HR professional.
.
ISO 27001 Controls and Attribute values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| Preventive | Availability Confidentiality Integrity | Protect | Human resource security | Governance and ecosystem |