ISO 27001 background checks

What are ISO 27001 background checks, how do you perform them and are they really needed?

What does the standard say about ISO 27001 background checks?

ISO 27001 sets a low bar for employee background checks. In the standards it is covered in Annex A – prior to employment – and it gives a lot of room to manoeuvre when it comes to the level of checks to perform.

The control objective and therefore what we are going to demonstrate is covered in Annex A section 7.1.1 –

Screening Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

ISO 27001 Background Checks Hargobind

What is the minimum you can get away with to satisfy the standard

The minimum level of background checks on employees will be your in country and in jurisdiction laws and legal requirements. An example would be the UK right to work check. To meet the standard you only have to do this once, prior to employment. Of course you would check that all employees are covered and meet the law.

What should you actually do to meet the standard and be secure?

There are a number of simple steps to take for ISO 27001 certification:

Time needed: 1 hour.

How to perform ISO 27001 background checks

  1. Perform background checks to the level required by law

    Your in country and in jurisdiction will have laws related to the level of checks required before you employ staff. An example would be the UK right to work check. Check with your legal counsel.

  2. Perform background checks to the level required by regulators

    Regulators for the industry that you are in will have requirements on the kinds of checks required. For example people that work in finance, or with vulnerable people, or with law enforcement, or with children will have special checks required.

  3. Perform background checks to the level required by customers

    Customers may state that they require certain back ground checks to be performed on employees that access their data or systems.

  4. Perform background checks appropriate to the persons role

    A person should be checked proportionate to their role. Finance checks for finance directors, criminal background checks for IT administrators are examples. Not everyone needs the full rigour of a full background check but those that do, should under go it.

  5. Consider annual background checks or when people change significant role

    Checks can and should ideally be performed on an on going basis. People’s circumstances do change. Checks or the most critical or highest privilege employees based on risk should be checked at least annually or when a significant change occurs.

ISO 27001 Background Checks FAQ

What ISO 27001 Annex A control covers back ground checks?

Annex A section 7 covers Human Resource Security. 7.1 covers prior to employment. 7.1.1 covers screening. So ISO 27001 Annex A section 7.1.1

What does ISO 27001 say about background checks?

The control objective is – Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

What is the minimum level of ISO 27001 background check I should perform?

Seek guidance from your HR and legal teams. As a minimum you can get away with we have seen the UK right to work check being a good example. It is already a legal requirement and the work will / should already have been done by your HR team. There are similar in country examples to this globally. Of course you should always comply with your in country applicable laws.

When should background checks occur?

Background checks should be conducted before an employee starts with a customer. Checks should then be carried out based on role and risk at least annually or when a significant change occurs.

Shopping Cart