Show me desktop version
CALL US 1-888-553-2256
CountryCountry

The ISO 27001 & ISO 22301 Blog

Rhand Leal

How to perform background checks according to ISO 27001

“The human factor is the weakest link in the security.” How many times have we already heard this sentence? How many stories have we already heard about security incidents caused by human failure or inaction?

In an effort to minimize this situation, organizations all around the world have been working hard to make their employees and contractors aware of the importance of protecting information, and to prepare them to handle attempted attacks and incidents when they arise. But, what if the wrong person is allowed to enter the organization? What if a person you think is competent for the job is, in fact, not that competent? The best training and awareness campaigns won’t help you with that.

In this article, you will see how ISO 27001, the leading ISO standard for information security management, addresses human resources security before employment, and how its practices can help your organization to put in place the right people for the job.

Why worry about people before you employ them?

In terms of information security, we can basically summarize this answer in two words: trust and competence.

When an organization decides to hire someone, this person will interact with other people’s information, either from other employees, partners, or customers. It’s essential to ensure that you can trust this person to handle and protect information.

Following trust, when an organization hires, it is seeking to find the most capable people to perform specific activities in order to achieve its business objectives, so verifying competence is essential. (See also: How to learn about ISO 27001 and BS 25999-2.)

What to consider before hiring people

A company will need to show due diligence when hiring new employees in order to find trustful and competent people.

For example, to implement a secure network, it is expected for a person to have solid knowledge and experience in this issue. If a potential employee, i.e., a candidate for the position, does not have such competences, he/she shouldn’t be considered for that position, because the organization may be considered liable in case of problems or incidents.

To ensure that these aspects can be fulfilled for information security, a background check according to ISO 27001 could include:

  • verification of the completeness and accuracy of the applicant’s curriculum vitae;
  • verification of references, either personal and professional (e.g., by contacting neighbors, previous employers, or by scanning through the Internet for available information);
  • confirmation of claimed qualifications, either academic or professional (e.g., by contacting the certification issuers) – for more information about what to look for in terms of competences, see: What to look for when hiring a security professional and How personal certificates can help your company’s ISMS;
  • verification of the person’s identification provided in the application for the job (e.g., by contacting the identification document issuer); and
  • specific verifications and confirmations related to specificities of the job to be performed (e.g., criminal records for any critical role, bank history for candidates who will have big financial responsibilities, etc.).

It is important to note that background checks must be performed:

  • only by specific and authorized people (a good practice is to establish a formal procedure with rules that define who must perform then, how, when, and why the background checks are carried out); and
  • not only for new employees or contractors, but also for current personnel who are promoted or transferred to a new position, because the requirements for the new position may be stricter.

In cases where the background checks are performed by a contractor on behalf of the organization, an agreement should be defined between the organization and the contractor to ensure that the contractor will perform the procedure and communicate any situations that raise doubts or concerns.

Limitations on background checks

Because background checks involve the gathering of information that may be considered private or intimate, or may allow the personal identification of a person, some issues must be considered to prevent the organization from being subject to legal action:

  • Background checks must be carried out in accordance with relevant laws, regulations, and ethics; in today’s globalized world, this may be tricky when you hire people who will be working remotely from other countries.
  • The depth and coverage of background checks must be proportional to what the business considers relevant (you can use as reference the business requirements, information classification, and perceived risks).
  • Information gathered during background checks must be handled and protected according to relevant laws, regulations, and ethics.

Good background practices mean better security and performance

Hiring someone to work for your organization may be the most critical aspect of the business, because no matter how good your processes, equipment, resources, and systems are, all of them will be in the hands of those you will hire. In the wrong hands, even the best tool can be useless or used to cause damage.

By performing background checks according to ISO 27001 requirements, you can minimize the risks of poor performance and the compromising of critical information from the organization.

Learn more about human resources security in this free online training: ISO 27001 Foundations Online Course.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

OUR CLIENTS

OUR PARTNERS

  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.