In this article we lay bare ISO 27001 background checks. Exposing the insider trade secrets, what are ISO 27001 background checks, how do you perform them and are they really needed? We show you exactly what you need to do to satisfy it for ISO 27001 certification. We show you exactly what changed in the ISO 27001:2022 update. I am Stuart Barker the ISO 27001 Ninja is ISO 27001 background checks.
Table of contents
What does the standard say about ISO 27001 background checks?
ISO 27001 sets a low bar for employee background checks. In the standards it is covered in Annex A – prior to employment – and it gives a lot of room to manoeuvre when it comes to the level of checks to perform.
Remembering that the ISO 27001 standard changed in 2022 there are 2 versions in play
ISO 27001:2022 Annex A 6.1
The standard changed in 2022. The numbering changed and subtly of language changed but the requirement pretty much stayed the same.
The updated 2022 version of the standard says:
Background verification checks on all candidates to become personnel should be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
ISO 27001:2013 Annex A 7.1.1
The 2013 version of the standard says:
Screening Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
What is the minimum you can get away with to satisfy the standard
The minimum level of background checks on employees will be your in country and in jurisdiction laws and legal requirements. An example would be the UK right to work check. To meet the standard you only have to do this once, prior to employment. Of course you would check that all employees are covered and meet the law.
What should you actually do to meet the standard and be secure?
There are a number of simple steps to take for ISO 27001 certification:
Time needed: 1 hour
How to perform ISO 27001 background checks
- Perform background checks to the level required by law
Your in country and in jurisdiction will have laws related to the level of checks required before you employ staff. An example would be the UK right to work check. Check with your legal counsel.
- Perform background checks to the level required by regulators
Regulators for the industry that you are in will have requirements on the kinds of checks required. For example people that work in finance, or with vulnerable people, or with law enforcement, or with children will have special checks required.
- Perform background checks to the level required by customers
Customers may state that they require certain back ground checks to be performed on employees that access their data or systems.
- Perform background checks appropriate to the persons role
A person should be checked proportionate to their role. Finance checks for finance directors, criminal background checks for IT administrators are examples. Not everyone needs the full rigour of a full background check but those that do, should under go it.
- Consider annual background checks or when people change significant role
Checks can and should ideally be performed on an on going basis. People’s circumstances do change. Checks or the most critical or highest privilege employees based on risk should be checked at least annually or when a significant change occurs.
ISO 27001 Background Checks FAQ
Annex A section 7 covers Human Resource Security. 7.1 covers prior to employment. 7.1.1 covers screening. So ISO 27001 Annex A section 7.1.1
The control objective is – Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
Seek guidance from your HR and legal teams. As a minimum you can get away with we have seen the UK right to work check being a good example. It is already a legal requirement and the work will / should already have been done by your HR team. There are similar in country examples to this globally. Of course you should always comply with your in country applicable laws.
Background checks should be conducted before an employee starts with a customer. Checks should then be carried out based on role and risk at least annually or when a significant change occurs.
An ISO 27001 Toolkit is not really going to help you with ISO 27001 background checks but is a good start when considering your ISO 27001 implementation.