What to consider in security terms and conditions for employees according to ISO 27001
A good way to ensure that people are aware of their roles and responsibilities in an organization is by defining policies and procedures to be followed. But this solution has a limitation: they only cover the people who are already working for the organization and have access to information. What do you do when you need to introduce new employees or contractors in the environment?
Once the proper candidates have been selected by the organization (for more information regarding this topic, please see How to perform background checks according to ISO 27001), it is important to ensure the information will be properly protected even at the early stages of employment. How can you achieve this when a candidate has not yet had access to the organization’s policies and procedures? This article will present what should be considered in security terms and conditions for employees according to ISO 27001.
How to make security terms and conditions, and make them important
Broadly speaking, terms and conditions of work are the general rules by which employer and employee or contractor’s personnel working on organization’s behalf, agree upon for a job or activity. Normally they are presented during the pre-employment process in documents such as Terms and conditions of employment, Employment agreement, etc.
These documents normally cover a broad list of items such as working time (e.g., hours of work, rest periods, and work schedules), remuneration, and workplace conditions. However, with the increasing concern over the potential impact of loss or unauthorized disclosure, or alteration of information, organizations must start including information protection items in such agreements.
Since in many situations terms and conditions of employment are legal requirements for the establishment of a work relationship, by including security terms and conditions related to confidentiality, data protection, ethics, appropriate use of the organization’s equipment and facilities, and use of best practices, an organization can enhance its protection or support in case of legal actions involving information security incidents.
Contractual agreements of work according to ISO 27001
As a management standard, ISO 27001 does not prescribe what to include in security terms and conditions of employment, only which objectives must be achieved, through control A.7.1.2 (Terms and conditions of employment): to formally state to employees, contractors and to the organization itself their responsibilities for information security.
To fulfil this objective, organizations have three alternatives:
a) Include the full content of all information security policies in the agreement. While this option provides the ideal coverage for presenting the expected behavior towards information security in an early employment stage, it can make the document confusing, unreadable and ineffective in practice.
b) Include summarized versions of all information security policies (e.g. by adopting a corporate code of conduct) in the agreement. Short documents are more readable, but if they are summarized too much, important elements may be left out of the picture until the person has contact with the full policies, providing a false sensation of security to all parties.
c) Include a part of full content and part of summarized versions of the most relevant information security policies in the agreement. This approach would represent the most cost-effective relation regarding preserving security and practical use, and can be achieved by summarizing only policies that score as lower risks according to the results of a risk assessment while keeping the full content of policies that cover high-risk areas. For more information on this topic, see ISO 27001 risk assessment & treatment – 6 basic steps.
Aspects of information security policies
When working on summarized versions for alternatives “b” or “c”, it is useful to view the recommendations of ISO 27002, a supporting standard for the implementation of ISO 27001 in Annex A controls. ISO 27002 recommends that at least these aspects should be included:
- conditions to grant access to sensitive information (e.g. by signing of confidentiality or non-disclosure agreements), and that these conditions must be fulfilled before new personnel can access information or information facilities;
- rights and responsibilities of all involved parties regarding legal requirements, such as requirements for protection of copyrighted or private information under EU GDPR;
- responsibilities regarding the classification and handling of information and information related assets, either owned by the organization or received from third parties. For more information, see Information classification according to ISO 27001;
- actions to be taken if security requirements are violated by the involved parties (e.g., application of disciplinary process, notification of law enforcement authorities, judicial appeal, etc.).
It is important to note that these security terms and conditions should be continued (where it is justifiable), for a defined period after the end of the work relationship (e.g. information related to a new product should be protected until the release on market of this product, regardless at which phase of the product development the work relationship has ended).
Consider “Better safe than sorry” principle with employees
Strangely enough, the most common security incidents are not related to intentional attacks, but to a lack of awareness of information security responsibilities and the consequences to the person or organization if information security is compromised.
By following the controls established by ISO 27001, an organization can handle not only intentional attempts to compromise information, but also develop cost-effective conditions to ensure that people who will have access to sensitive information are legally aware of responsibilities and accountable for penalties related to information security.
Such conditions can contribute at least in two ways to improve security. First, they can help minimize the risk of unintentional incidents, by making people aware of the minimum conditions to be followed. Second, they can provide a solid grounds for legal actions, either against an employee or contractor that violates security rules, or fails to protect the organization, by demonstrating a good level of due diligence.
Learn more about human resources security in this free online training: ISO 27001 Foundations Online Course.