The concept of hiring and employing people that are qualified for their assigned role is not an uncommon and unjustified one. However, the way Human Resource Security (HR Security) is viewed through the lens of the ISO 27001 standard shows that there is more to it than just recruitment processes. While established and consistent recruitment processes are important both with and without the standard in mind, there is more focus on ensuring prospective staff will be competent in their role and understand the need for adhering to information security principles in their day-to-day work, lest they may introduce risks into the organisation.
Aspects of HR Security considered by ISO 27001 are ensuring that staff are appropriately vetted, that their contracts contain relevant confidentiality clauses, that staff remain fully informed of their information security responsibilities and are equipped with up-to-date information security training and finally, the ongoing confidentiality arrangements for leavers and terminated employees also need to be considered. Importantly, potential employees must also have proven skills and competencies relevant to their role.
HR security in the recruitment process
Screening is an integral part of HR Security controls. Screening must be commensurate to the requirements of the organisation but must at least comply with the legal, regulatory and ethical requirements of the country or jurisdiction within which recruitment is taking place. Furthermore, a high-level position at a government agency is likely to require a much more in-depth background check because of the level of confidentiality involved in comparison to a position that does not require access to sensitive information. The screening will also consider the candidate’s CV, job references, character references in lieu of job references (perhaps if they are fresh out of education), interviews and may even require a written assessment, technical test or presentation.
It is sometimes the case that if organisations do not receive the required references from candidates, they may decide to take the risk of hiring them. This is increasingly common as references have become meaningless to many organisations due to legal restrictions: references now only really cover their start and end of service dates. With this in mind, there has seemingly been a shift in attitude and organisations would prefer to put staff to the test and monitor their performance and skills over a longer probation period.
Another stage of the HR Security process is having standard documented terms and conditions of employment for both permanent employees and contractors. This allows the organisation to enforce a consistent and repeatable process when offering a candidate a role within their organisation. Having a consistent and documented approach is really useful, not only in terms of when you are audited, but if an unsuccessful candidate suggests that you treated them differently for any reason you have this process as evidence to show that is in fact not the case.
A good example of successful ISO 27001 implementation is our recent engagement with Personnel Checks, the UK’s top-ranked Government Approved DBS Umbrella Body.
“Our processes and procedures are now really robust. We have a strong suite of iso 27001 documents, well organised and they cover everything we need to cover. Our mentality has evolved throughout the business now on every level. For example, when it comes to onboarding new suppliers, we know we have key documents that will support that process and certain guidelines to follow in order to ensure we’re doing everything in the correct way and protecting our clients.” Jack Mellor, Managing Director, Personnel Checks.
Find out how Personnel Checks were supported through to successful ISO 2001 certification.
Whilst employed at your organisation
A key part of your responsibilities to information security when employing people is ensuring that both employees and contractors act in accordance with internal policies, processes and procedures. Whilst you cannot expect employees to know the contents of policies verbatim, it is important that, in order to support the organisation in maintaining the security of the information it is responsible for, they know that the policies exist and where to find them.
In addition, there is also an expectation that all employees of an organisation (this includes contractors) should receive annual awareness training regarding their responsibilities to information security. This is when they first start work in the organisation, and subsequently at regular intervals helping to ensure competence throughout the organisation. Once competence has been determined a way to ensure that people do not fall below acceptable levels is to maintain a skills matrix of current employees and add all future staff to that matrix.
Compliance with policies and procedures
A disciplinary process is another imperative requirement of ISO 27001 and needs to specifically cater for confidentiality and information security breaches. This process should be formally documented and should be readily available to staff. It may include different levels of misconduct. For example, an isolated information security breach/ breach of policies or procedures may be classed as Misconduct whereas repeated occurrences by the same individual would be classed as Gross Misconduct. An easy way to ensure that staff remain compliant and are aware of the repercussions of policy and confidentiality breaches is to add a compliance statement to your policies.
Confidentiality clauses within the terms of the employee’s contract are another way of ensuring that compliance with policies and procedures as these can always refer back to the disciplinary process for non-compliance.
Role change or termination
In the event of a change of role, the simplest approach could be an amendment of their contract terms and conditions. Alternatively, it may just be a case of ensuring that the terms of employment are still current and accurate.
In addition, a formal process is required to remind employees of their ongoing responsibilities post-employment following their termination or resignation.
This process of reminding employees of their responsibilities and duties can be achieved in different ways, for example, a minuted exit interview can be used to not only get feedback on their reasons for leaving but to remind them of their ongoing responsibilities to protect the information security of the organisation. An alternative may be to send a resignation or a dismissal acknowledgement letter reminding them of their continued responsibilities.
What to do now?
All sections of this article mention different processes, procedures and forms that are necessary to ensure that your HR Security is consistent across your organisation, but it does not have to be as difficult as it may sound. It is possible to combine some of these areas into single high-level documents which are easy to follow and use. When we complete a full ISO 27001 implementation, we supply a whole document set which includes all the topics covered in this article.
If you are thinking of gaining ISO accreditation, we’re here to help wherever you are on your decision path. We can act as your external ISO 27001 consultant and help with an initial workshop, carry out a full gap analysis, support your ISO project or manage your management system for you.
If you’d like to understand more about our ISO services, we’d be delighted to hear from you. You can find out more about our services here.
Free useful resources
Download this free infographic on the benefits of ISO 27001 certification for your business. This type of information is useful when taking suggestions to the board for consideration.
Download this free Guide to ISO 27001 which takes a deeper dive into the standard.
Image by 8photo on Freepik