ISO 27001 - Annex A.7: Human Resource Security
What is the objective of Annex A.7.1 of ISO 27001:2013?
Annex A.7.1 is about prior to employment. The objective in this Annex is to ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. It also covers what happens when those people leave or change roles. It’s an important part of the information security management system (ISMS) especially if you’d like to achieve ISO 27001 certification. Lets understand those requirements and what they mean in a bit more depth now.
A good control covers background verification and competence checks on all candidates for employment. These must be carried out in accordance with the relevant laws, regulations and ethics, and should be proportional to the business requirements, the classification of the information that will be accessed and the perceived risks associated. For example, staff accessing higher level information assets that carry more risk may be subject to much more stringent checks than staff who only ever get access to public information or handle assets with limited threat. Putting in place adequate and proportionate HR controls at all stages of employment helps to reduce the likelihood of accidental or malicious threats. The screening should also take place for contractors (unless their parent organisation meets your broader security controls e.g. has their own ISO 27001 and does their own background checks.) An auditor will expect to see a screening process with clear procedures being operated consistently each time to also help avoid any preference/prejudice risks too. Ideally this will be aligned with the overall organisation hiring process.
A.7.1.2 Terms & Conditions of Employment
The contractual agreement with employees and contractors must state their and the organisation’s responsibilities for information security. These agreements are a good place to put key information security general and individual responsibilities as they carry legal weight – meaning they are backed up by the law. This is also very important as regards GDPR and the new Data Protection Act 2018. They should reference and cover a whole range of control areas including overall compliance with the ISMS as well as more specifically acceptable use, IPR ownership, return of assets etc. We recommend working with an HR Lawyer if you are unsure as the consequences for getting employment contracts wrong from an information security perspective (and other dimensions) can be significant.
“We are so pleased that we found this solution – it made everything fit together much more easily. ISMS.online helps drive our behaviour in a positive way around delivering the standard in a way that works for us and our culture.”
Emma Cooper – Managing Director, Group Operations at System1 Group
What is the objective of Annex A.7.2 of ISO 27001:2013?
The objective in this Annex is to ensure that employees and contractors are aware of and fulfil their information security responsibilities during employment.
A.7.2.1 Management responsibilities
A good control describes how employees and contractors apply information security in accordance with the policies and procedures of the organisation. The responsibilities placed upon managers should include requirements to; Ensure that those they are responsible for understand the information security threats, vulnerabilities and controls relevant to their job roles and receive regular training (as per A7.2.2); Ensure buy-in to proactive and adequate support for relevant information security policies and controls; and Reinforce the requirements of the terms and conditions of employment. Managers play a critical role in ensuring security consciousness and conscientiousness throughout the organisation and in developing an appropriate “security culture”.
A.7.2.2 Information Security Awareness, Education & Training
All employees and relevant contractors must receive appropriate awareness education and training to do their job well and securely. They must receive regular updates in organisational policies and procedures when they are changed too, along with a good understanding of the applicable legislation that affects them in the role. It is common for the information security team to partner with HR or a Learning & Development team to carry out skills, knowledge, competence and awareness assessments and to plan and implement a programme of awareness, education and training throughout the employment lifecycle (not just at induction). You need to be able to demonstrate that training and compliance to auditors. Also carefully consider how the training and awareness is delivered to give the staff and contractor resource the best chance of understanding and following it – this means careful attention to content and medium for delivery.
A.7.2.3 Disciplinary Process
There needs to be a documented disciplinary process in place and communicated (in line with A7.2.2 above). Whilst focused here for disciplinary action following security breaches, it can also be dovetailed with other disciplinary reasons. If your organisation already has a recognised HR disciplinary process then ensure it covers information security in the manner required for the ISO 27001:2013 standard.
What is the objective of Annex A.7.3 of ISO 27001:2013?
Annex A.7.3 is about termination and change of employment. The objective in this Annex is to protect the organisation’s interests as part of the process of changing and terminating employment.
A.7.3.1 Termination or change of employment responsibilities
Information security responsibilities and obligation that remain valid after termination or change of employment must be defined, communicated to the employee or contractor and enforced. Examples include keeping information confidential and not leaving with information that belongs to the organisation. It is really important to ensure that information remains protected after an employee or contractor leaves the organisation, as people themselves are walking data stores.
The contractual terms & conditions should reinforce this, and the leaver’s process and/or contract termination process (including return of assets) should include a reminder to individuals that they have some responsibilities to the organisation even after they have left. An auditor will want to see evidence of leavers having returned their assets and the process being closed off and documented to demonstrate assets are updated in the asset inventory (A8.1.1) where appropriate too.
This is not just about termination and exit. If an employee changes role e.g. moving from operations to sales, you should do a review to demonstrate they no longer have access to information assets that are not required in the new role, and are provisioned with access to information assets needed for the future.
ISO 27001 policies, controls, and tools for Human Resource Security are included in ISMS.online. A perfect fusion of knowledge and technology for early ISO 27001 certification
ISO 27001 Annex A Controls
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
ISO 27001 requirements
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement