Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

ISO 27001 Annex A.7: Human Resource Security

Annex A.7 ISO 27001 requires that specific measures be taken before, during and after a person’s employment at your firm. These procedures aim to protect your organisation’s data at all three stages.


A.7.1 Before employment

A7.1.1: Screening

Background checks and identity verifications must be processed for prospective candidates before they access company data. The extent of the check will depend on their possible role in the company, high risk data workers will need to be thoroughly researched and verified before handling the firm’s most sensitive information. Entry-level jobs require less work, though you may opt to do complete checks for all roles. Independent contractors must go through the verification process to confirm their history.

If you use external interested parties or associates, you can either perform the screening yourself or request screening evidence. This will assist with reducing the threat incidence to your business. The auditor will review the screening policies and procedures.

A.7.1.2: Terms and Conditions of employment

The agreement that you signed with your new employee must clearly state the responsibilities you both side have for maintaining information security with what laws support your contract. So, mention important details about what laws, regulations and compliance requirements involve your staff.

Be sure to have the employee sign a nondisclosure agreement and emphasis this when employees join as well as the importance of data security the company policies for information breaches.

A.7.2 During Employment

A.7.2.1: Management responsibilities

Managers are all members of the leadership of an organisation, with some of them making up part of the executive board It is the job of management to ensure that all staff under their authority understand the business assets, threats and vulnerabilities. There must also be made aware of their duties and expectations related to the ISMS.

Overall data protection training and Information security must be managed across the business. Management must also monitor these employees’ activities to confirm their adherence to all your ISMS standards.

A.7.2.2: Information security awareness, education and training

Current employees must also be educated and updated on best practices for protecting information, this should extend to contractors and applicable third parties handling confidential files from your company.

It’s best to partner with the human resource department to convey the appropriate coursework and methods to staff, with HR evaluating and keeping evidence of the training.

As some staff may learn differently from others you must consider various learning styles that can improve and even accelerate the training process. Staff should be continually tested on policies, procedures and laws used within their work setting.

Ensure that the training is regular and not last minute. Don’t wait for your auditor to set a date for a visit to start sending information into your workforce. Employee education matters outside of audits, consider holding sessions at least quarterly as the more your workers know, the better they can protect your data.

A.7.2.3: Disciplinary process

It would be best if you were transparent with your workers, discuss your expectations and the consequences if they betray the company’s trust. Management needs to come up with a disciplinary policy suitable for different cases including smaller-scale incidents or accidents through to direct breaches of your data.

Ensure that information security disciplinary policies are aligned to your human resources policies.

A.7.3 Termination and change of employment

A.7.3.1: Termination or change of employment responsibilities

When an employee leaves, you need to safeguard your company from loss of data on their part, sometimes workers leave based on difficult situations or acts of misconduct which often have issues related to company confidentiality.

How will you reduce the risk of staff leaking your data? You must include terms and conditions that protect data after employment in your initial contract with workers agreeing to post-employment confidentiality. This legally binds them to maintain their discretion even after they leave the business.

If the employee used company assets during employment, they must return all property upon departure, and you must present proof of this during your internal audit. On another note, if a worker changes their position within the firm, they must understand what their new role mentions with regards to both new and former roles. Management needs to update the employee’s records to reflect these new changes.