HR departments process vast amounts of sensitive information, so organisations must take appropriate steps to secure that data.
Annex A.7 of ISO 27001 sets out the framework for organisations to do that.
ISO 27001 is the international standard that describes best practice for implementing an ISMS (information security management system), and Annex A.7 addresses human resource security specifically.
It’s broken down into three sections:
- Annex A.7.1, which covers activities before employment.
- Annex A.7.2, which contains guidelines to ensure that employees and contractors fulfil their information security responsibilities.
- Annex A.7.3, which covers the termination and change of employment.
This blog explains each clause within Annex A.7, helping you understand human resource security and ISO 27001.
Employee screening is the process of verifying an applicant’s credentials and ensuring that they meet the conditions for employment.
The screening process should, for example, establish whether the applicant has concealed or falsified information, such as their qualifications and job history.
Annex A.7.1.1 advises organisations to adjust the stringency of employee screening based on the role that they are applying for.
Applicants whose jobs involve accessing sensitive information should be subject to more extensive screening.
Organisations must document the screening process to demonstrate which procedures are carried out.
A.7.1.2 Terms and conditions of employment
An employment contract must include a section related to the information security responsibilities of the organisation and the employee.
This is a compliance requirement of ISO 27001 and the GDPR (General Data Protection Regulation).
A.7.2.1 Management responsibilities
Managers should ensure that employees who report to them understand information security threats and that appropriate controls are in place to mitigate risks.
Managers must also ensure that employees complete regular information security staff awareness training. This is addressed further in Annex A.7.2.2.
A.7.2.2 Information security awareness, education and training
Employees and relevant contractors must receive information security staff awareness training.
These training courses should be retaken at regular intervals to refresh employees’ knowledge and account for changes in how the organisation operates.
A.7.2.3 Disciplinary process
Organisations must create and document a disciplinary process for when an employee violates their employment contract.
Annex A.7.2.3 focuses on action related to information security breaches, but there doesn’t need to be a separate process. Organisations can use the same framework for information security breaches as they would for disciplinary actions related to other violations.
A.7.3.1 Termination or change of employment responsibilities
The final clause of Annex A.7 addresses what happens when an employee leaves their job. This includes staff who have left voluntarily, been fired or changed roles.
Annex A.7.3.1 recognises that some information security responsibilities are applicable after the employee has left the role.
For example, they are still expected to protect confidential information, and they are prohibited from keeping sensitive information belonging to the employer.
Organisations must define the responsibilities that come with the termination of or change in employment, communicate them to the employee and make sure they are enforced.
Additionally, there are steps that employees must take when they leave their role, such as returning company equipment and keys, fobs, passes, etc. to the premises.
Annex A.7.3.1 also specifies what organisations must do if an employee moves to another position within the same company.
For example, if an employee moves to a different department, the organisation must ensure that they no longer have access to information assets that aren’t required for their new role.
Simplify the ISO 27001 compliance process
Are you looking to bolster your organisation’s human resource security? Our Compliance Manager tool contains everything you need to strengthen your information security processes and achieve ISO 27001 compliance.
It provides a curated list of information security clauses from UK law and a collection of GDPR articles, each accompanied by implementation guidance.
You can also add your own requirements or controls that apply to your organisation.
Compliance Manager’s interactive database lists the applicable clauses from each law and provides guidance on implementing them, mapped against the appropriate best-practice controls from Annex A of ISO 27001.