ISO 27001 Annex A.7 Human resource security

A.7.1 Prior to employment

Objective: To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.

A.7.1.1 Screening

Control
Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations
and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

A.7.1.2 Terms and conditions of employment

Control
The contractual agreements with employees and contractors shall state their and the organisation’s responsibilities for information
security.

A.6.2 Mobile devices and teleworking

Objective: To ensure the security of teleworking and use of mobile devices

A.6.2.1 Mobile device policy

Control
A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices.

A.6.2.2 Teleworking

Control
A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites.

A.7.2 During employment

Objective: To ensure that employees and contractors are aware of and fulfil their information security responsibilities.

A.7.2.1 Management responsibilities

Control
Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization.

A.7.2.2 Information security awareness, education and training

Control
All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training
and regular updates in organizational policies and procedures, as relevant for their job function.

A.7.2.3 Disciplinary process

Control
There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach.

A.7.3 Termination and change of employment

Objective: To protect the organization’s interests as part of the process of changing or terminating employment.

A.7.3.1 Termination or change of employment responsibilities

Control
Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced.

ISO 27001 Table of Contents

ISMS Online Rating: 5 out of 5
Share This