ISO 27001:2022 Annex A Control 6.1

Explaining Annex A Control 6.1 Screening

SO 27001 Control 6.1, known as Screening, involves a systematic process of verifying the eligibility and suitability of personnel before and during their engagement with your organization. This control is part of a broader cybersecurity and information security management effort to reduce the risks associated with insider threats and to ensure that individuals with access to sensitive data are both qualified and trustworthy.

Iso 27001 Annex A Control 6.1 Screening

Control Type

  • Preventive

Information Security Properties

  • Confidentiality
  • Integrity
  • Availability

Cybersecurity Concepts

  • Protect

Operational Capabilities

  • Human Resource Security

Security Domains

  • Governance and Ecosystem

Objective of Control 6.1

The primary objective of Control 6.1 is to prevent unauthorized access to information and reduce the likelihood of insider threats. Your organization accomplishes this by:

  • Verifying integrity and credibility of staff members, contractors, or temporary personnel.
  • Aligning with applicable laws on privacy and employment regulations.
  • Protecting confidentiality, integrity, and availability of critical data in line with the ISO 27001 Information Security Management System (ISMS).
  • Enabling trust in individuals handling your organization’s sensitive operations or accessing confidential information.

Purpose of Control 6.1

The purpose of Screening is to ensure that anyone with potential access to sensitive systems or information is properly vetted. This includes verifying identity, qualifications, and background. Screening helps your organization:

  • Confirm qualifications to avoid misrepresentation of skills or credentials.
  • Reduce the risk of data breaches by identifying concerns related to criminal history or other trust factors.
  • Improve overall risk management by aligning screening measures with the classification of the information or systems each role can access.
  • Maintain a secure human resource environment through regular re-checks over the course of employment.

Scope and Applicability

Personnel Covered

  • Full-time, part-time, and temporary employees who will access any sensitive or critical information systems.
  • Contractors and consultants who, by the nature of their engagement, also require authorized access to business processes or data.

Timing of Screening

  • Pre-Employment Screening: Conducted before granting system access or handling critical functions.
  • Ongoing Screening: Periodically repeated to ensure continuous suitability for roles of higher sensitivity or for employees transitioning to new positions.

Legal and Regulatory Considerations

  • Data Protection: In line with jurisdiction-specific privacy and personal data protection laws (for example, GDPR within the EU).
  • Employment Legislation: Adhere to local or national laws that dictate the scope of allowable checks.
  • Candidate Consent: In some regions, your organization must inform candidates about the nature and scope of background checks.

Considerations for Implementation

1. Background Verification Checks

Implement background checks proportionate to the risk level of each role. Typical verification areas include:

  • References: Request professional references from previous employers or colleagues who can verify credibility and work history.
  • Curriculum Vitae Review: Confirm that the information in the applicant’s résumé is correct, including dates of prior employment and job titles.
  • Academic and Professional Qualifications: Validate the authenticity of degrees, certifications, or specialized credentials.
  • Identity Verification: Ensure applicants provide valid government-issued documentation such as a passport or driver’s license.
  • Criminal Records: Conduct criminal record checks if the role involves high levels of trust or access to sensitive information.
  • Credit History: Consider credit checks for roles dealing with financial data or access to monetary assets.

2. Competency and Trustworthiness

When recruiting for an information security role or any critical position, evaluate:

  • Technical Knowledge: Confirm if the candidate meets the specific security or technical skill requirements.
  • Ethical Conduct: Assess the applicant’s track record of adhering to ethical guidelines, especially in past employment or professional memberships.
  • Confidentiality Awareness: Gauge the applicant’s familiarity with handling confidential data and proprietary technologies.

3. Ongoing Screening or Re-screening

  • Periodic Checks: For roles with significant access privileges, consider scheduling re-checks on an annual or biennial basis.
  • Role Changes or Promotions: If an employee’s position changes to include more sensitive responsibilities, perform additional checks to ensure new requirements are met.
  • Risk-Based Approach: Tailor the frequency and depth of ongoing checks to the potential impact of a security incident in each role.

4. Handling Incomplete Screenings

If your organization cannot finalize a screening within the expected timeframe, consider mitigating controls to limit potential security exposure:

  • Delayed Onboarding: Postpone the official start date until essential checks are completed.
  • Limited Access: Restrict the employee’s access to non-critical systems or data while awaiting final results.
  • Delayed Deployment of Assets: Withhold company devices or system credentials until verification is confirmed.
  • Termination of Employment: Where critical concerns arise or where checks fail to meet minimum standards, end the employment process.

Roles and Responsibilities

Human Resources (HR)
Defines screening policies, coordinates checks, and ensures compliance with labor and privacy laws.

Hiring Managers
Provide role-specific risk assessments to determine the required level of screening for new hires or internal transfers.

Information Security Team
Identifies security-sensitive roles and advises on critical areas of background verification.

Legal or Compliance Department
Confirms that screening activities adhere to relevant statutes, regulations, and ethical standards.

Relevant Legal, Regulatory, and Ethical Requirements

To comply with ISO 27001 and related data protection laws, your organization should be aware of the following:

  • Privacy and Personal Data Protection: Ensure that sensitive candidate information is stored securely and used only for legitimate purposes.
  • Fair Hiring Practices: Avoid any form of discrimination during the screening process.
  • Consent and Disclosure: Provide transparent communication about the nature and extent of screening to obtain informed consent.

Relationship to Other ISO 27001 Controls

  • Control 6.2: Terms and conditions of employment – Ensures that security responsibilities are defined and communicated.
  • Control 5.2: Roles and responsibilities – Clarifies who is authorized to conduct screenings and the scope of their authority.
  • Control 5.1: Policies for information security – The screening policy is often a subset of overarching security policies that define how staff are managed.

Templates Available on Our Website

Your organization may streamline the screening process by using ready-made resources:

  • Screening Policy Template: Outlines the procedures, responsibilities, and scope of background verifications.
  • Screening Procedure Guide: Provides step-by-step instructions for HR and hiring managers to conduct background checks.
  • Candidate Consent Form: Covers the legal aspects of data collection and ensures clear communication with prospective employees.
  • Role-Based Risk Assessment Checklist: Maps levels of background checks to the confidentiality, integrity, and availability requirements for each role.
Control 5.37
ISO 27001 overview
Control 6.2