ISO 27001 Background Checks Beginner’s guide

Home / ISO 27001 / ISO 27001 Background Checks Beginner’s guide

In this article we lay bare ISO 27001 background checks. Exposing the insider trade secrets, what are ISO 27001 background checks, how do you perform them and are they really needed? We show you exactly what you need to do to satisfy it for ISO 27001 certification. We show you exactly what changed in the ISO 27001:2022 update. I am Stuart Barker the ISO 27001 Ninja is ISO 27001 background checks.

What does the standard say about ISO 27001 background checks?

ISO 27001 sets a low bar for employee background checks. In the standards it is covered in Annex A – prior to employment – and it gives a lot of room to manoeuvre when it comes to the level of checks to perform.

Remembering that the ISO 27001 standard changed in 2022 there are 2 versions in play

ISO 27001:2022 Annex A 6.1

The standard changed in 2022. The numbering changed and subtly of language changed but the requirement pretty much stayed the same.

The updated 2022 version of the standard says:

Background verification checks on all candidates to become personnel should be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

ISO 27001:2013 Annex A 7.1.1

The 2013 version of the standard says:

Screening Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

What is the minimum you can get away with to satisfy the standard

High Table Fay and Stuart 4

The minimum level of background checks on employees will be your in country and in jurisdiction laws and legal requirements. An example would be the UK right to work check. To meet the standard you only have to do this once, prior to employment. Of course you would check that all employees are covered and meet the law.

What should you actually do to meet the standard and be secure?

There are a number of simple steps to take for ISO 27001 certification:

Time needed: 1 hour

How to perform ISO 27001 background checks

  1. Perform background checks to the level required by law

    Your in country and in jurisdiction will have laws related to the level of checks required before you employ staff. An example would be the UK right to work check. Check with your legal counsel.

  2. Perform background checks to the level required by regulators

    Regulators for the industry that you are in will have requirements on the kinds of checks required. For example people that work in finance, or with vulnerable people, or with law enforcement, or with children will have special checks required.

  3. Perform background checks to the level required by customers

    Customers may state that they require certain back ground checks to be performed on employees that access their data or systems.

  4. Perform background checks appropriate to the persons role

    A person should be checked proportionate to their role. Finance checks for finance directors, criminal background checks for IT administrators are examples. Not everyone needs the full rigour of a full background check but those that do, should under go it.

  5. Consider annual background checks or when people change significant role

    Checks can and should ideally be performed on an on going basis. People’s circumstances do change. Checks or the most critical or highest privilege employees based on risk should be checked at least annually or when a significant change occurs.

DO IT YOURSELF ISO27001

Stop Spanking £10,000’s on Consultants and Platforms

ISO 27001 Toolkit Business Edition

ISO 27001 Background Checks FAQ

What ISO 27001 Annex A control covers background checks?

Annex A section 7 covers Human Resource Security. 7.1 covers prior to employment. 7.1.1 covers screening. So ISO 27001 Annex A section 7.1.1

What does ISO 27001 say about background checks?

The control objective is – Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

What is the minimum level of ISO 27001 background check I should perform?

Seek guidance from your HR and legal teams. As a minimum you can get away with we have seen the UK right to work check being a good example. It is already a legal requirement and the work will / should already have been done by your HR team. There are similar in country examples to this globally. Of course you should always comply with your in country applicable laws.

When should background checks occur?

Background checks should be conducted before an employee starts with a customer. Checks should then be carried out based on role and risk at least annually or when a significant change occurs.

An ISO 27001 Toolkit is not really going to help you with ISO 27001 background checks but is a good start when considering your ISO 27001 implementation.

ISO 27001:2022 requirements

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing