All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI SCIM Integration
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base DORA Knowledge Base
Company Security and customers first
About News Partners Contact

Screening

Annex A control 6.1 of the 2022 version of the ISO 27001 standard can be mapped to ISO 27001:2013 Annex A 7.1.1

Before joining an organisation, it’s important for background checks to be carried out on employees and selected suppliers. This is what control 6.1 covers.

Alongside all relevant laws, regulations and ethical standards adhered to by an organisation, it’s important to take a proportionate approach to the organisation’s unique verification check needs. This involves considering the kind of information employees and suppliers will encounter as part of their role, and the risks this contact poses.

Screening steps outlined in control 6.1

Annex 6.1 focuses on the importance of screening when taking on a partnership or new team member. This screening process should involve the following steps:

  • Business and personal references
  • A verified CV to attest to the fact that the candidate has not omitted or altered any information
  • Professional, academic and vocational qualifications confirmation
  • Identity verification in the form of a passport of driving license issues by a public sector organisation or government agency
  • Credit and criminal record checks carried out on any role deemed in need of enhanced vetting

Background checks security

The collection, processing and transfer of personal identifiable information (PII) and protected characteristics is common in background checks, meaning it’s important to adhere to any prevailing employment legislation. This will involve information the candidate of what data will be processed and how it will be used before the screening process commences.

Screening procedures should clearly outline the personnel responsible for the screening on behalf of the organisation as a whole. They should also address why the screening has to take place.

Once an employee or supplier has been vetted and hired, they should be able to carry out their duties with trust, especially in the case of information security tasks.

Screening flexibility

Control 6.1 provides organisations with flexibility regarding when and how they initiate enhanced vetting controls. However, it does state explicitly that no distinction should be made between new employees and current staff members who have been promoted to roles with greater flexibility.

Enhanced screening should be initiated in the case of roles dealing with information processing on a daily basis, or that handle and process sensitive information like PII or financial data.

If screening cannot be carried out in a timely manner – due to urgent hires or third-party delays for example – alternative courses of actions should be taken. These include a delayed onboarding process, restricted access, withheld equipment, or employment termination.

What’s changed since 2013?

Replacing ISO 27001:2013 Annex A control 7.1.1, control 6.1 of the 2022 version of the standard contains largely the same guidance regarding what information must be verified before the hiring of an employee or supplier. However, it goes a step further by providing additional guidance on how organisations should handle incomplete verification.