Purpose of Control 6.1
Control 6.1 deals with the background checks that are required on all employees and selected suppliers, prior to them joining the organisation.
Control 6.1 advocated for a proportional approach to verification checks that is linked to the unique requirements of the organisation, and encompasses all the relevant laws, regulations and ethical standards that an organisation holds themselves to, wherever they operate.
When carrying out checks, organisations should be mindful of the type of information that each employee/supplier will come into contact with throughout their job role, and any associated risks.
Attributes Table of Control 6.1
Control 6.1 is a preventive control that maintains risk by establishing a screening process that vets all full-time, part-time and casual/temporary staff and suppliers, to ensure that only fit and proper personnel are able to access information.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality | #Protect | #Human Resource Security | #Governance and Ecosystem |
| #Integrity | ||||
| #Availability |
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
Ownership of Control 6.1
Employment verification checks are usually carried out prior to a person starting their job. As such, ownership of 6.1 should rest with an organisation’s HR Manager.
General Guidance on Control 6.1
Screening activities should include the following checks:
- References, including both business and personal attestations.
- CV verification, to ensure the candidate has neither omitted any relevant information and has only included accurate and truthful information.
- Confirmation of academic, vocational and professional qualifications and certifications.
- Identity verification, as confirmed by a third-party governmental or public sector organisation (passport and/or driving licence checks).
- Credit checks and criminal record checks, for any roles that are deemed suitable for enhanced vetting.
Background verification often includes the collection, processing and transfer of PII and/or protected characteristics (UK law). As such, organisations should ensure strict adherence to any prevailing employment legislation, wherever they operate.
This usually involves informing the candidate of the screening process (both in terms of the data being processed and what it’s being used for), prior to the verification being carried out.
Screening procedures should clearly outline the personnel responsible for carrying out the screening on behalf of the organisation, and the underlying reason as to why screening is being conducted in the first place.
If screening is to be carried out on suppliers, it’s important to include this requirement in any contractual agreements prior to services being rendered.
Once an employee/supplier has been vetted and hired, the organisation should take steps to ensure that the candidate has the ability to carry out their role as advertised, and has proven themselves to be a trustworthy individual, especially if their role includes any information security-related activities.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Guidance – Enhanced Vetting
Control 6.1 gives organisations considerable leeway on the circumstances that are required prior to initiating enhanced vetting controls.
Such procedures should be decided on a job-by-job basis, and no distinction should be made between new staff, or existing staff that have been promoted to a role that features a greater amount of responsibility.
Roles that require enhanced screening can be defined as any that deal with information processing as a daily activity (e.g. HR), or any role that includes the handling or processing of PII, financial information or any other type of sensitive data.
Organisations should also consider ways in which to verify the ongoing suitability of any personnel who are employed within a critical role.
Guidance – Incomplete Verifications
In certain circumstances (urgent hires, third-party delays, application mistakes etc.), screening is not always able to be completed in a timely manner.
Where this occurs, organisations should consider alternative courses of action that minimises the risks associated with an unscreened member of staff, including:
- Delayed onboarding.
- Restricted access to systems.
- Withholding company assets and equipment.
- Termination of employment.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Changes and Differences From ISO 27002:2013
27002:2022-6.1 replaces 27002:2013-7.1.1 (Screening).
27002:2022-6.1 contains the same basic guidance points as 27002:2013-7.1.1, in advising organisations on what information is required to be verified prior to an employee/supplier starting their job (references, CV, identity etc).
Building on the basic guidance offered, 27002:2022-6.1 also contains additional information on how organisations should react to incomplete verifications, including potential termination.
New ISO 27002 Controls
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | NEW | Threat intelligence |
| 5.23 | NEW | Information security for use of cloud services |
| 5.30 | NEW | ICT readiness for business continuity |
| 7.4 | NEW | Physical security monitoring |
| 8.9 | NEW | Configuration management |
| 8.10 | NEW | Information deletion |
| 8.11 | NEW | Data masking |
| 8.12 | NEW | Data leakage prevention |
| 8.16 | NEW | Monitoring activities |
| 8.23 | NEW | Web filtering |
| 8.28 | NEW | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | NEW | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
How ISMS.online Helps
The ISMS.online platform provides a range of powerful tools that simplify the way you can document, implement, maintain and improve your information security management system (ISMS) and achieve compliance with ISO 27002.
Get in touch today to book a demo.
