A.7.1 Prior to Employment
Annex A.7 Human Resource Security Its object is to make sure both employees and vendors recognize their duties and are suitable for their positions.
Control- Background verification checks on all job applicants will be performed in compliance with applicable rules, legislation, and ethics and should be proportionate to business criteria, classification of the information to be obtained, and potential risks.
Implementation Guidance- All applicable privacy, personal identity information security, and employment-based policies, should be taken into consideration and should include the following:
- Availability of appropriate references to character, e.g. one business and one personal;
- A verification of the applicant’s curriculum vitae (for completeness and correctness);
- Verification of asserted professional and academic qualifications;
- Independent biometric identification (passport or similar document);
- Further thorough checking; such as credit verification or criminal record verification.
Related Product : ISO 27001 Lead Auditor Training And Certification ISMS
If recruiting a private individual for a designated security position, organizations should ensure the following points:-
- Has the expertise needed to carry out the security role;
- Whether the candidate can be trusted, especially when the organization’s role is important.
When a position requires a person with access to information processing facilities, either for initial appointment or promotion, and in especially when they handle sensitive information, such as financial information or confidential information, the organization should often require further verification.
Procedures should identify requirements and limitations for verification reviews, such as who is eligible for screening, and how, where, and why verification reviews are performed.
A process of screening for contractors should also be guaranteed. In these situations, the agreement between the company and thus the contractor will specify the requirements for the screening and notification protocols to be followed if the screening has not been completed or if the results give rise to doubts or concerns.
Information on all applicants eligible for positions within the company will be obtained and processed in compliance with the applicable regulations in the relevant jurisdiction. Taking into account the law in place, candidates will be notified in advance of the screening activities.
“No matter how good or successful you are or how clever or crafty, your business and its future are in the hands of people you hire.”-Akio Morita, This is where Human Resources plays a crucial role in the organization, beginning with having the right selection, making them aware of their roles and responsibilities, and in addition, the role of HR comes with great responsibility and security for the organization. Training sessions at Infosavvy provide you with an in-depth knowledge of the security measures that HR needs to take while hiring a candidate, the guidelines for this security role are covered in IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification). Infosavvy coaches help you develop your abilities and learn to recruit people who are qualified or expertise for a specific role. we flood you with many examples so to make your learning more interactive and efficient.
A.7.1.2 Terms and Conditions of Employment
Control- Contract agreements with employees and contractors would set out their responsibility for information security, and hence the responsibility of the company.
Implementation Guidance- The contractual responsibilities of employees or contractors should represent the information security policies of the company in addition to clarifying and stating the following points:-
- That and employee and contractor who has access to sensitive information will sign a confidentiality or non-disclosure agreement before access to information processing facilities is granted;
- Legal responsibilities and rights of the employee or contractor, e.g. copyright or data protection legislation;
- Responsibilities for classifying information and handling organizational assets related to information, information processing and information services managed by the employee or contractor;
- Employee or contractor’s responsibilities in the handling of information received from other companies or from outside parties;
- Actions to be taken where the employee or contractor fails to comply with the security requirements of the organization.
Roles and responsibilities in information security should be communicated to job applicants during the pre-employment process.
The organization should see to it that the terms and conditions of information security are agreed by the employees and the contractor as appropriate for the nature and scope of their access to information systems and services assets of the organization.
Responsibilities under the terms and conditions of employment should, where appropriate, continue for a defined period after the termination of employment.
Other Information- The Code of Conduct can be used to set out the information responsibilities of the employee or contractor with respect to confidentiality, data security, ethics, proper use of the organization’s equipment and facilities, as well as the responsible practices required by the organization. An external party to which the contractor is associated may be expected to enter into contractual agreements on behalf of the contracted person.
Also Read : Annex A.6 Organization of Information Security
Questions related to this topic
- How do I run an employment verification on myself?
- How do companies verify employment history?
- What background check do most employers use?
- What does HR look for in a background check?
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com