Table of contents
- What is it?
- Applicability to Small Business, Tech Startups, and AI Companies
- What does the standard say about ISO 27001 background checks?
- Who Needs It?
- Why You Need It
- When You Need It
- Where You Need It
- How to Write It
- How to perform ISO 27001 background checks
- Examples of using it for small businesses
- Examples of using it for tech startups
- Examples of using it for AI companies
- How the ISO 27001 Toolkit Can Help
- Information Security Standards That Need It
- List of Relevant ISO 27001:2022 Controls
- ISO 27001 Background Checks FAQ
What is it?
An ISO 27001 background check is simply a process you use to make sure the people you hire are trustworthy, especially when they’ll have access to your sensitive company information. It’s a key part of the ISO 27001 standard, which is all about keeping your information secure. You’re basically verifying someone’s identity, history, and qualifications to make sure they’re a good fit for the job and don’t pose a risk to your company’s data.
Applicability to Small Business, Tech Startups, and AI Companies
- Small Businesses: You might think you’re too small, but even a handful of employees handling customer data or business secrets need to be vetted. It’s about building a foundation of trust from the start.
- Tech Startups: Your whole business might be built on intellectual property, code, or user data. Protecting these assets is critical, and that starts with your team.
- AI Companies: You’re working with massive datasets, proprietary algorithms, and cutting-edge technology. A breach could be catastrophic. Background checks are a non-negotiable step to protect your unique creations and the data you use to train your models.
What does the standard say about ISO 27001 background checks?
ISO 27001 sets a low bar for employee background checks. In the standards it is covered in Annex A – prior to employment – and it gives a lot of room to manoeuvre when it comes to the level of checks to perform.
ISO 27001:2022 Annex A 6.1
The standard changed in 2022. The numbering changed and subtly of language changed but the requirement pretty much stayed the same.
The updated 2022 version of the standard says:
Background verification checks on all candidates to become personnel should be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
Who Needs It?
Honestly, anyone who handles sensitive information needs this. It’s not just for big corporations. If you’re a small business, a tech startup, or an AI company, and your employees have access to customer data, financial records, or secret project files, you need to do these checks.
Why You Need It
You need it to protect your business. It’s all about minimising risk. By checking a person’s background, you can help prevent things like fraud, data theft, and unauthorised access. It shows your customers and partners that you take security seriously, which can be a huge selling point.
When You Need It
The best time to do a background check is before you make a final job offer. It should be part of your hiring process. You want to make sure you’re getting a full picture of a candidate before they start working with your valuable data.
Where You Need It
You need to apply this process throughout your hiring and employee lifecycle. It’s not just a one-time thing. You might need to do checks again if someone moves to a more sensitive role or if there’s a significant change in their circumstances.
How to Write It
You’ll need a clear policy that outlines your process. It should be a simple, easy-to-read document that explains:
- What kinds of checks you’ll do (e.g., identity, criminal history, references).
- When you’ll do them.
- Who will handle the information.
- How you’ll handle any issues that come up.
The minimum level of background checks on employees will be your in country and in jurisdiction laws and legal requirements. An example would be the UK right to work check. To meet the standard you only have to do this once, prior to employment. Of course you would check that all employees are covered and meet the law.
How to perform ISO 27001 background checks
- Get consent: You must get a candidate’s permission to run a background check.
- Use a reliable service: You don’t have to do this yourself! There are many services that specialize in background checks.
- Document everything: Keep good records of your process and the results of the checks.
Time needed: 1 hour
How to perform ISO 27001 background checks
- Perform background checks to the level required by law
Your in country and in jurisdiction will have laws related to the level of checks required before you employ staff. An example would be the UK right to work check. Check with your legal counsel.
- Perform background checks to the level required by regulators
Regulators for the industry that you are in will have requirements on the kinds of checks required. For example people that work in finance, or with vulnerable people, or with law enforcement, or with children will have special checks required.
- Perform background checks to the level required by customers
Customers may state that they require certain back ground checks to be performed on employees that access their data or systems.
- Perform background checks appropriate to the persons role
A person should be checked proportionate to their role. Finance checks for finance directors, criminal background checks for IT administrators are examples. Not everyone needs the full rigour of a full background check but those that do, should under go it.
- Consider annual background checks or when people change significant role
Checks can and should ideally be performed on an on going basis. People’s circumstances do change. Checks or the most critical or highest privilege employees based on risk should be checked at least annually or when a significant change occurs.
Examples of using it for small businesses
Let’s say you’re a small online shop. You’d do a background check on anyone you hire to manage your customer database or handle online payments.
Examples of using it for tech startups
You’re a new app company. You’d check the background of your new software engineer, especially since they’ll be writing code and have access to your source code.
Examples of using it for AI companies
Your company is building a new AI that analyses medical data. You’d do a thorough check on a new data scientist to ensure they have no history of misusing sensitive information.
How the ISO 27001 Toolkit Can Help
An ISO 27001 toolkit is a great shortcut. It often includes pre-written policies, procedures, and forms that you can use right away. It saves you the hassle of writing everything from scratch and helps you make sure you don’t miss any important details.
Information Security Standards That Need It
This background checks requirement is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:
- HIPAA (Health Insurance Portability and Accountability Act)
- GDPR (General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- DORA (Digital Operational Resilience Act)
- NIS2 (Network and Information Security (NIS) Directive)
- SOC 2 (Service Organisation Control 2)
- NIST (National Institute of Standards and Technology)
List of Relevant ISO 27001:2022 Controls
The ISO 27001:2022 standard has specific controls that relate to screening and background checks. Some of the most important ones include:
- ISO 27001:2022 Annex A 6.1: Screening
- ISO 27001:2022 Annex A 6.2: Terms and Conditions of Employment
- ISO 27001:2022 Annex A 6.4: Disciplinary Process
ISO 27001 Background Checks FAQ
Seek guidance from your HR and legal teams. As a minimum you can get away with we have seen the UK right to work check being a good example. It is already a legal requirement and the work will / should already have been done by your HR team. There are similar in country examples to this globally. Of course you should always comply with your in country applicable laws.
Background checks should be conducted before an employee starts with a customer. Checks should then be carried out based on role and risk at least annually or when a significant change occurs.
Yes, it’s a good practice, especially for anyone with access to sensitive data.
You should not proceed with their application.
The cost varies, but it’s a small price to pay for security.
Usually a few days, but it can depend on the type of check.
A criminal check looks at criminal history, while a civil check looks at lawsuits.
That’s a good start, but a formal check is more thorough.
It’s a good idea to have a professional look at it.
You must have a clear process for how to handle it.
Yes, it’s just as important to check freelancers as it is to check employees.
Yes, it’s a good idea to check everyone, especially if they have access to sensitive data.
Yes, absolutely.
It’s not a good idea, as they’re not as reliable.
You should use a service that can do international background checks.
Yes, you should keep them for a certain period of time.
Not doing them at all or not having a clear policy.
