How to perform background checks according to ISO 27001

Update 2022-03-16.

“The human factor is the weakest link in the security.” How many times have we already heard this sentence? How many stories have we already heard about security incidents caused by human failure or inaction?

In an effort to minimize this situation, organizations all around the world have been working hard to make their employees and contractors aware of the importance of protecting information, and to prepare them to handle attempted attacks and incidents when they arise. But, what if the wrong person is allowed to enter the organization? What if a person you think is competent for the job is, in fact, not that competent? The best training and awareness campaigns won’t help you with that.

In this article, you will see how ISO 27001, the leading ISO standard for information security management, addresses human resources security before employment, and how its practices can help your organization to put in place the right people for the job. Learn here more about ISO 27001 background checks.

An ISO 27001 background check could include:
  • verification of the completeness and accuracy of the applicant’s curriculum vitae
  • verification of references, either personal or professional
  • confirmation of claimed qualifications, either academic or professional
  • verification of the person’s identification provided in the application for the job
  • specific verifications and confirmations related to specificities of the job to be performed

Why worry about people before you employ them?

In terms of information security, we can basically summarize this answer in two words: trust and competence.

When an organization decides to hire someone, this person will interact with other people’s information, either from other employees, partners, or customers. It’s essential to ensure that you can trust this person to handle and protect information.

Following trust, when an organization hires, it is seeking to find the most capable people to perform specific activities in order to achieve its business objectives, so verifying competence is essential. (See also: How to learn about ISO 27001 and BS 25999-2.)


What to consider before hiring people

When hiring new employees, a company needs to show due diligence by implementing ISO 27001 background checks in order to find trustworthy and competent people.

For example, to implement a secure network, it is expected for a person to have solid knowledge and experience in this issue. If a potential employee, i.e., a candidate for the position, does not have such competences, he/she shouldn’t be considered for that position, because the organization may be considered liable in case of problems or incidents.

To ensure that these aspects can be fulfilled for information security, an ISO 27001 background check  could include:

  • verification of the completeness and accuracy of the applicant’s curriculum vitae;
  • verification of references, either personal and professional (e.g., by contacting neighbors, previous employers, or by scanning through the Internet for available information);
  • confirmation of claimed qualifications, either academic or professional (e.g., by contacting the certification issuers) – for more information about what to look for in terms of competences, see: What to look for when hiring a security professional and How personal certificates can help your company’s ISMS;
  • verification of the person’s identification provided in the application for the job (e.g., by contacting the identification document issuer); and
  • specific verifications and confirmations related to specificities of the job to be performed (e.g., criminal records for any critical role, bank history for candidates who will have big financial responsibilities, etc.).

It is important to note that background checks must be performed:

  • only by specific and authorized people (a good practice is to establish a formal procedure with rules that define who must perform then, how, when, and why the background checks are carried out); and
  • not only for new employees or contractors, but also for current personnel who are promoted or transferred to a new position, because the requirements for the new position may be stricter.

In cases where the background checks are performed by a contractor on behalf of the organization, an agreement should be defined between the organization and the contractor to ensure that the contractor will perform the procedure and communicate any situations that raise doubts or concerns.

How to perform background checks according to ISO 27001

Limitations on background checks

Because ISO 27001 background checks involve the gathering of information that may be considered private or intimate, or may allow the personal identification of a person, some issues must be considered to prevent the organization from being subject to legal action:

  • Background checks must be carried out in accordance with relevant laws, regulations, and ethics; in today’s globalized world, this may be tricky when you hire people who will be working remotely from other countries.
  • The depth and coverage of background checks must be proportional to what the business considers relevant (you can use as reference the business requirements, information classification, and perceived risks).
  • Information gathered during background checks must be handled and protected according to relevant laws, regulations, and ethics.

Good background practices mean better security and performance

Hiring someone to work for your organization may be the most critical aspect of the business, because no matter how good your processes, equipment, resources, and systems are, all of them will be in the hands of those you will hire. In the wrong hands, even the best tool can be useless or used to cause damage.

By performing background checks according to ISO 27001 requirements, you can minimize the risks of poor performance and the compromising of critical information from the organization.

Learn more about human resources security in this free online training: ISO 27001 Foundations Online Course.

Advisera Rhand Leal
Author
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.


Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.