Resources
Everything you need to know
Company
Security and customers first
Close

Request a demo

Find out today the difference that Hicomply’s unique solution can make to your business.

Close

Thank you for your request

Success

In the meantime, connect with Hicomply for insights on authentication and fraud prevention

Close

ROI Calculator

See how much you could save with Hicomply

Hicomply feature Yearly saving
Automated scoping Easily scope your ISMS with the Hicomply platform
Asset register autogeneration A shorter learning curve for organisations and a simplified process
Risk assessment Autogenerate your risk register and risk treatment plan
Extended policy templates 90% of the essential are already written out of the box
Controls framework All controls are pre-loaded and already linked to the risks they mitigate
Task management Automate all actions, administration and setup time of your ISMS
Real time monitoring Understand status and progress across your ISMS with the Hicomply dashboard
Compliance & Training Your whole team, on the same page
Audit readiness Hicomply makes sure you have everything in place for your audit
Auditor access Give auditors a dedicated login to access and audit your ISM
Back to Resource Hub

ISO 27001 Annex A.7: Human Resource Security

Annex A.7 ISO 27001 requires that specific measures be taken before, during and after a person’s employment at your firm. These procedures aim to protect your organisation’s data at all three stages.

A.7.1 Before employment

A7.1.1: Screening

Background checks and identity verifications must be processed for prospective candidates before they access company data. The extent of the check will depend on their possible role in the company, high risk data workers will need to be thoroughly researched and verified before handling the firm’s most sensitive information. Entry-level jobs require less work, though you may opt to do complete checks for all roles. Independent contractors must go through the verification process to confirm their history.

If you use external interested parties or associates, you can either perform the screening yourself or request screening evidence. This will assist with reducing the threat incidence to your business. The auditor will review the screening policies and procedures.

A.7.1.2: Terms and Conditions of employment

The agreement that you signed with your new employee must clearly state the responsibilities you both side have for maintaining information security with what laws support your contract. So, mention important details about what laws, regulations and compliance requirements involve your staff.

Be sure to have the employee sign a nondisclosure agreement and emphasis this when employees join as well as the importance of data security the company policies for information breaches.

A.7.2 During Employment

A.7.2.1: Management responsibilities

Managers are all members of the leadership of an organisation, with some of them making up part of the executive board It is the job of management to ensure that all staff under their authority understand the business assets, threats and vulnerabilities. There must also be made aware of their duties and expectations related to the ISMS.

Overall data protection training and Information security must be managed across the business. Management must also monitor these employees’ activities to confirm their adherence to all your ISMS standards.

A.7.2.2: Information security awareness, education and training

Current employees must also be educated and updated on best practices for protecting information, this should extend to contractors and applicable third parties handling confidential files from your company.

It’s best to partner with the human resource department to convey the appropriate coursework and methods to staff, with HR evaluating and keeping evidence of the training.

As some staff may learn differently from others you must consider various learning styles that can improve and even accelerate the training process. Staff should be continually tested on policies, procedures and laws used within their work setting.

Ensure that the training is regular and not last minute. Don’t wait for your auditor to set a date for a visit to start sending information into your workforce. Employee education matters outside of audits, consider holding sessions at least quarterly as the more your workers know, the better they can protect your data.

A.7.2.3: Disciplinary process

It would be best if you were transparent with your workers, discuss your expectations and the consequences if they betray the company’s trust. Management needs to come up with a disciplinary policy suitable for different cases including smaller-scale incidents or accidents through to direct breaches of your data.

Ensure that information security disciplinary policies are aligned to your human resources policies.

A.7.3 Termination and change of employment

A.7.3.1: Termination or change of employment responsibilities

When an employee leaves, you need to safeguard your company from loss of data on their part, sometimes workers leave based on difficult situations or acts of misconduct which often have issues related to company confidentiality.

How will you reduce the risk of staff leaking your data? You must include terms and conditions that protect data after employment in your initial contract with workers agreeing to post-employment confidentiality. This legally binds them to maintain their discretion even after they leave the business.

If the employee used company assets during employment, they must return all property upon departure, and you must present proof of this during your internal audit. On another note, if a worker changes their position within the firm, they must understand what their new role mentions with regards to both new and former roles. Management needs to update the employee’s records to reflect these new changes.

More Resource Hub

ISO27001
SOC 2 Policies and Procedures
ISO27001
What Is The NHS Data Security and Protection…
ISO27001
Whitepaper | How To Choose The Best Information…