ISO 27001 Annex A.7 Human resource security
A.7.1 Prior to employment
Objective: To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.
Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations
and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
A.7.1.2 Terms and conditions of employment
The contractual agreements with employees and contractors shall state their and the organisation’s responsibilities for information
A.6.2 Mobile devices and teleworking
Objective: To ensure the security of teleworking and use of mobile devices
A.6.2.1 Mobile device policy
A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices.
A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites.
A.7.2 During employment
Objective: To ensure that employees and contractors are aware of and fulfil their information security responsibilities.
A.7.2.1 Management responsibilities
Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization.
A.7.2.2 Information security awareness, education and training
All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training
and regular updates in organizational policies and procedures, as relevant for their job function.
A.7.2.3 Disciplinary process
There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach.
A.7.3 Termination and change of employment
Objective: To protect the organization’s interests as part of the process of changing or terminating employment.
A.7.3.1 Termination or change of employment responsibilities
Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced.