Build or upgrade your ISMS on our platform

ISO 27001 – Annex A.7: Human Resource Security

What is the objective of Annex A.7.1 of ISO 27001:2013?

Annex A.7.1 is about prior to employment. The objective in this Annex is to ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. It also covers what happens when those people leave or change roles.  It’s an important part of the information security management system (ISMS) especially if you’d like to achieve ISO 27001 certification. Lets understand those requirements and what they mean in a bit more depth now.

See how we’ll get you to ISO 27001

A.7.1.1 Screening

A good control covers background verification and competence checks on all candidates for employment.  These must be carried out in accordance with the relevant laws, regulations and ethics, and should be proportional to the business requirements, the classification of the information that will be accessed and the perceived risks associated. For example, staff accessing higher level information assets that carry more risk may be subject to much more stringent checks than staff who only ever get access to public information or handle assets with limited threat. Putting in place adequate and proportionate HR controls at all stages of employment helps to reduce the likelihood of accidental or malicious threats. The screening should also take place for contractors (unless their parent organisation meets your broader security controls e.g. has their own ISO 27001 and does their own background checks.) An auditor will expect to see a screening process with clear procedures being operated consistently each time to also help avoid any preference/prejudice risks too. Ideally this will be aligned with the overall organisation hiring process.

A.7.1.2 Terms & Conditions of Employment

The contractual agreement with employees and contractors must state their and the organisation’s responsibilities for information security. These agreements are a good place to put key information security general and individual responsibilities as they carry legal weight – meaning they are backed up by the law. This is also very important as regards GDPR and the new Data Protection Act 2018. They should reference and cover a whole range of control areas including overall compliance with the ISMS as well as more specifically acceptable use, IPR ownership, return of assets etc. We recommend working with an HR Lawyer if you are unsure as the consequences for getting employment contracts wrong from an information security perspective (and other dimensions) can be significant.

We make achieving ISO 27001 easy

Get a 77% headstart

Get a 77% headstart

Our ISMS comes pre-configured with tools, frameworks and documentation you can Adopt, Adapt or Add to. Simple.  
Your path to success

Your path to success

Our Assured Results Method is designed to get you certified on your first attempt. 100% success rate.  
Watch and learn

Watch and learn

Forget about time consuming and costly training. Our Virtual Coach video series is available 24/7 to guide you through.  

What is the objective of Annex A.7.2 of ISO 27001:2013?

The objective in this Annex is to ensure that employees and contractors are aware of and fulfil their information security responsibilities during employment.

A.7.2.1 Management responsibilities

A good control describes how employees and contractors apply information security in accordance with the policies and procedures of the organisation. The responsibilities placed upon managers should include requirements to; Ensure that those they are responsible for understand the information security threats, vulnerabilities and controls relevant to their job roles and receive regular training (as per A7.2.2); Ensure buy-in to proactive and adequate support for relevant information security policies and controls; and Reinforce the requirements of the terms and conditions of employment. Managers play a critical role in ensuring security consciousness and conscientiousness throughout the organisation and in developing an appropriate “security culture”.

A.7.2.2 Information Security Awareness, Education & Training

All employees and relevant contractors must receive appropriate awareness education and training to do their job well and securely.  They must receive regular updates in organisational policies and procedures when they are changed too, along with a good understanding of the applicable legislation that affects them in the role.  It is common for the information security team to partner with HR or a Learning & Development team to carry out skills, knowledge, competence and awareness assessments and to plan and implement a programme of awareness, education and training throughout the employment lifecycle (not just at induction). You need to be able to demonstrate that training and compliance to auditors.  Also carefully consider how the training and awareness is delivered to give the staff and contractor resource the best chance of understanding and following it – this means careful attention to content and medium for delivery.

A.7.2.3 Disciplinary Process

There needs to be a documented disciplinary process in place and communicated (in line with A7.2.2 above).  Whilst focused here for disciplinary action following security breaches, it can also be dovetailed with other disciplinary reasons.  If your organisation already has a recognised HR disciplinary process then ensure it covers information security in the manner required for the ISO 27001:2013 standard.

What is the objective of Annex A.7.3 of ISO 27001:2013?

Annex A.7.3 is about termination and change of employment. The objective in this Annex is to protect the organisation’s interests as part of the process of changing and terminating employment.

A.7.3.1 Termination or change of employment responsibilities

Information security responsibilities and obligation that remain valid after termination or change of employment must be defined, communicated to the employee or contractor and enforced.  Examples include keeping information confidential and not leaving with information that belongs to the organisation.

It is really important to ensure that information remains protected after an employee or contractor leaves the organisation, as people themselves are walking data stores. The contractual terms & conditions should reinforce this, and the leaver’s process and/or contract termination process (including return of assets) should include a reminder to individuals that they have some responsibilities to the organisation even after they have left.

An auditor will want to see evidence of leavers having returned their assets and the process being closed off and documented to demonstrate assets are updated in the asset inventory (A8.1.1) where appropriate too.

This is not just about termination and exit. If an employee changes role e.g. moving from operations to sales, you should do a review to demonstrate they no longer have access to information assets that are not required in the new role, and are provisioned with access to information assets needed for the future.

ISO 27001 policies, controls, and tools for Human Resource Security are included in ISMS.online. A perfect fusion of knowledge and technology for early ISO 27001 certification

We’ll give you a 77% head start on your ISO 27001 certification

How to easily demonstrate A.7 Human Resource Security

The ISMS.online platform makes it easy for you to achieve every objective of Human Resource Security.

Step 1 : Human resource management made easy

Manage your human resource security in the following ways:

  • Provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.
  • Ensure that employees and contractors are aware of and fulfil their information security responsibilities.
  • Protect the organisation’s interests as part of the process of changing or terminating employment.
Step 1 : Human resource management made easy

Step 2 : Adopt, adapt and add

Our pre-configured ISMS will enable you to evidence controls A.7.1, A.7.2 and A.7.3. within our platform and easily adapt it to your organisation’s needs.

You are provided with ready-made controls and references to subordinate policies that can be adopted, adapted, or added to out of the box.

This means that you have ready-made simple to follow foundation for ISO 27001 compliance or certification giving you a 77% head start.

Step 2 : Adopt, adapt and add

Step 3 : Demonstrate to your auditors

You can easily demonstrate your work to auditors by recording your evidence within the platform e.g. data, policies, controls, procedures, risks, actions, projects, related documentation and reports.
Step 3 : Demonstrate to your auditors

Step 4 : A time-saving path to certification

Our Assured Results Method, ARM, is your simple, practical, time-saving path to first-time ISO 27001 compliance or certification. A.7 is part of the second section that ARM will guide you on, where you’ll begin to describe your current information security policies and controls in line with Annex A controls.
Step 4 : A time-saving path to certification

Step 5 : Extra support whenever you need it

If you need extra support, our optional Virtual Coach provides context-specific help whenever you need it. Additionally, our Service Delivery Team and your Account Manager are only ever a phone call away.
Step 5 : Extra support whenever you need it