Inverifi logo

ISO:27001

Annex 7- Human resource security

Get compliant with ISO:27001 – Annex A.7 and simplify compliance for your organisation.

Outlines the management system standards for contractors before, during and after employment. It includes all HR duties such as recruiting, contractors, awareness, education, training, discipline, change, and termination. The main goal of this annex is to guarantee that all employees, suppliers, and contractors are qualified for and understand their responsibilities, and that access is revoked after the task is finished.

Annex 7.1- Prior to employment

Annex 7.1.1 Roles and responsibilities

To ensure that employees, contractors and third party users understand their responsibilities, and are acceptable for the roles they are considered for, and to reduce the risk of theft or fraud. 

Security responsibilities and roles should be addressed before employment, in the job description, in terms and conditions of employment and under the organisation’s information security policy.

All users of information processing access should sign an agreement on their security roles and responsibilities.

Annex 7.1.2 Screening

Background checks on all candidates of employment, contractors, and third party users should take place in line with relevant laws, regulations, and in order with the business requirements, responsibilities and risks of the role.

 

Procedures should explain standards and limitations for verification checks. 

 

A screening process should also be in place for contractors and other users. Contractors provided by an agency, the contract with the agency should specify the agency’s responsibilities for screening and the notification procedures they need to follow if screening has not been completed or if the results give cause for doubt or concern.

 

Information on all candidates being considered for positions should be collected, and handled in compliance with any legislation in the relevant jurisdiction.

Annex 7.1.3 Terms and conditions of employment

As part of their contractual obligations, employees, contractors and other users should agree and sign the terms and conditions of their employment contract, which should state their and the organisation’s responsibilities for information security. 

 

Is the organisation’s responsibility to ensure the users agree to terms and conditions regarding information security policy relevant to the extent of access they will have in the organisation’s confidential information. 

 

When appropriate, responsibilities contained within the terms and conditions of employment should continue for a determined period after the end of the employment. 

Annex 7.2- During employment

Annex 7.2.1 Management responsibilities

Management should require employees, contractors and third party users to apply security in order with the policies and procedures of the organisation. 

Poor management may cause workers to feel undervalued, resulting in a negative security impact. On the other hand, motivated workers are likely to be more reliable and cause less information security incidents. 

Annex 7.2.2 Information security awareness, education, and training

All employees and, where relevant, contractors and third party users should have suitable training and regular updates in organisational policies and procedures, as relevant for the job function. 

 

Ongoing training should cover use of information processing facilities, security requirements, legal responsibilities and business controls.

 

The security awareness training and education should be relevant and suitable to a person’s role, responsibilities and skills, and should include information about known threats, who to contact for further advice and the procedure of reporting information security incidents.

Annex 7.2.3 Disciplinary process

There should be a formal disciplinary process for employees who have committed a security breach.

 

After verification of the security breach has occurred, the formal disciplinary process should guarantee correct and fair treatment for employees who are suspected of committing a security breach. The formal disciplinary process should provide a response that takes into consideration a number of factors such as;

  • Gravity of the breach and impact on the business.
  • First or repeated offence. 
  • Proper training received.

 

In serious cases, the process should allow immediate removal of duties, access rights and privileges. 

Annex 7.3- termination or change of employment

Annex 7.3.1 Termination responsibilities

Responsibilities to carry out employment termination or change of employment should be clearly defined and assigned. 

 

Responsibilities and duties still valid after termination of employment should be mentioned in employee’s, contractor’s or third party user’s contracts.

 

The Human Resources duty is, in most cases, responsible for the overall termination process and works together with the manager of the person leaving to manage the security aspects of the relevant procedures. In a case of a contractor, the termination responsibility process may be undertaken by an agency responsible for the contractor.

Annex 7.3.2 Return of assets

All employees, contractors and third party users should return all of the organisation’s assets in their possession upon termination of their employment, contract or agreement.

 

The termination process should be documented, and in cases where workers purchase the organisation’s equipment or use their own personal equipment, procedures to transfer all relevant information and securely erase from the equipment, should be in place. 

 

Where an employee, contractor or other user, has knowledge that is important to ongoing operations, that information should be documented and transferred to the organisation.

Annex 7.3.3 Removal of access rights

The access to information and information processing facilities, should be removed upon termination of their employment, contract or agreement, or adjusted upon change. 

 

In some cases the access should be reduced or removed before the employment terminates or changes, depending on the evaluation of risk factors such as;

  • Whether the termination or change is initiated by the employee, contractor or third party user, or by management and the reason for termination.
  • Current responsibilities of the employee, contractor or other user.
  • The value of the assets currently accessible.