{"id":13446,"date":"2018-03-26T14:40:59","date_gmt":"2018-03-26T14:40:59","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/?p=13446"},"modified":"2024-12-21T13:11:09","modified_gmt":"2024-12-21T13:11:09","slug":"how-to-perform-background-checks-according-to-iso-27001","status":"publish","type":"post","link":"https:\/\/advisera.com\/27001academy\/blog\/2018\/03\/26\/how-to-perform-background-checks-according-to-iso-27001\/","title":{"rendered":"How to perform background checks according to ISO 27001"},"content":{"rendered":"<p><em>Update 2022-03-16.<\/em><\/p>\n<p>\u201cThe human factor is the weakest link in the security.\u201d How many times have we already heard this sentence? How many stories have we already heard about security incidents caused by human failure or inaction?<\/p>\n<p>In an effort to minimize this situation, organizations all around the world have been working hard to make their employees and contractors aware of the importance of protecting information, and to prepare them to handle attempted attacks and incidents when they arise. But, what if the wrong person is allowed to enter the organization? What if a person you think is competent for the job is, in fact, not that competent? The best training and awareness campaigns won\u2019t help you with that.<\/p>\n<p>In this article, you will see how <a href=\"https:\/\/advisera.com\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a>, the leading ISO standard for information security management, addresses human resources security before employment, and how its practices can help your organization to put in place the right people for the job. Learn here more about ISO 27001 background checks.<\/p>\n<div class=\"post-featured\">\n<div class=\"post-featured--title\">An ISO 27001 background check could include:<\/div>\n<div class=\"post-featured--content\">\n<ul>\n<li>verification of the completeness and accuracy of the applicant\u2019s curriculum vitae<\/li>\n<li>verification of references, either personal or professional<\/li>\n<li>confirmation of claimed qualifications, either academic or professional<\/li>\n<li>verification of the person\u2019s identification provided in the application for the job<\/li>\n<li>specific verifications and confirmations related to specificities of the job to be performed<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<h2>Why worry about people before you employ them?<\/h2>\n<p>In terms of information security, we can basically summarize this answer in two words: trust and competence.<\/p>\n<p>When an organization decides to hire someone, this person will interact with other people\u2019s information, either from other employees, partners, or customers. It\u2019s essential to ensure that you can <strong>trust<\/strong> this person to handle and protect information.<\/p>\n<p>Following trust, when an organization hires, it is seeking to find the most capable people to perform specific activities in order to achieve its business objectives, so verifying <strong>competence<\/strong> is essential. (See also: <a href=\"https:\/\/advisera.com\/27001academy\/blog\/2010\/11\/30\/how-to-learn-about-iso-27001-and-bs-25999-2\/\" target=\"_blank\" rel=\"noopener noreferrer\">How to learn about ISO 27001 and BS 25999-2<\/a>.)<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2>What to consider before hiring people<\/h2>\n<p>When hiring new employees, a company needs to show due diligence by implementing ISO 27001 background checks in order to find trustworthy and competent people.<\/p>\n<p>For example, to implement a secure network, it is expected for a person to have solid knowledge and experience in this issue. If a potential employee, i.e., a candidate for the position, does not have such competences, he\/she shouldn\u2019t be considered for that position, because the organization may be considered liable in case of problems or incidents.<\/p>\n<p>To ensure that these aspects can be fulfilled for <a href=\"https:\/\/advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=management-system&#038;doc=information-security-policy\" target=\"_blank\" rel=\"noopener\">information security<\/a>, an ISO 27001 background check \u00a0could include:<\/p>\n<ul>\n<li>verification of the completeness and accuracy of the applicant\u2019s curriculum vitae;<\/li>\n<li>verification of references, either personal and professional (e.g., by contacting neighbors, previous employers, or by scanning through the Internet for available information);<\/li>\n<li>confirmation of claimed qualifications, either academic or professional (e.g., by contacting the certification issuers) \u2013 for more information about what to look for in terms of competences, see: <a href=\"https:\/\/advisera.com\/27001academy\/blog\/2016\/02\/15\/what-to-look-for-when-hiring-a-security-professional\/\" target=\"_blank\" rel=\"noopener noreferrer\">What to look for when hiring a security professional<\/a> and <a href=\"https:\/\/advisera.com\/27001academy\/blog\/2014\/10\/06\/how-personal-certificates-can-help-companys-isms\/\" target=\"_blank\" rel=\"noopener noreferrer\">How personal certificates can help your company\u2019s ISMS<\/a>;<\/li>\n<li>verification of the person\u2019s identification provided in the application for the job (e.g., by contacting the identification document issuer); and<\/li>\n<li>specific verifications and confirmations related to specificities of the job to be performed (e.g., criminal records for any critical role, bank history for candidates who will have big financial responsibilities, etc.).<\/li>\n<\/ul>\n<p>It is important to note that background checks must be performed:<\/p>\n<ul>\n<li>only by specific and authorized people (a good practice is to establish a formal procedure with rules that define who must perform then, how, when, and why the background checks are carried out); and<\/li>\n<li>not only for new employees or contractors, but also for current personnel who are promoted or transferred to a new position, because the requirements for the new position may be stricter.<\/li>\n<\/ul>\n<p>In cases where the background checks are performed by a contractor on behalf of the organization, an\u00a0<a href=\"https:\/\/advisera.com\/27001academy\/documentation\/security-clauses-for-suppliers-and-partners\/\" target=\"_blank\" rel=\"noopener noreferrer\">agreement<\/a> should be defined between the organization and the contractor to ensure that the contractor will perform the procedure and communicate any situations that raise doubts or concerns.<\/p>\n<p><img decoding=\"async\" class=\"alignleft size-full wp-image-78359\" src=\"\/wp-content\/uploads\/\/sites\/5\/2018\/03\/backgorund-check.png\" alt=\"How to perform background checks according to ISO 27001\" width=\"1400\" height=\"1040\" srcset=\"\/wp-content\/uploads\/sites\/5\/2018\/03\/backgorund-check.png 1400w, \/wp-content\/uploads\/sites\/5\/2018\/03\/backgorund-check-300x223.png 300w, \/wp-content\/uploads\/sites\/5\/2018\/03\/backgorund-check-768x571.png 768w, \/wp-content\/uploads\/sites\/5\/2018\/03\/backgorund-check-1024x761.png 1024w\" sizes=\"(max-width: 1400px) 100vw, 1400px\" \/><\/p>\n<h2>Limitations on background checks<\/h2>\n<p>Because ISO 27001 background checks involve the gathering of information that may be considered private or intimate, or may allow the personal identification of a person, some issues must be considered to prevent the organization from being subject to legal action:<\/p>\n<ul>\n<li>Background checks must be carried out in accordance with <a href=\"https:\/\/advisera.com\/27001academy\/documentation\/list-of-legal-regulatory-contractual-and-other-requirements\/\" target=\"_blank\" rel=\"noopener noreferrer\">relevant laws, regulations, and ethics<\/a>; in today\u2019s globalized world, this may be tricky when you hire people who will be working remotely from other countries.<\/li>\n<li>The depth and coverage of background checks must be proportional to what the business considers relevant (you can use as reference the business <a href=\"https:\/\/advisera.com\/27001academy\/documentation\/procedure-for-identification-of-requirements\/\" target=\"_blank\" rel=\"noopener noreferrer\">requirements<\/a>, <a href=\"https:\/\/advisera.com\/27001academy\/documentation\/information-classification-policy\/\" target=\"_blank\" rel=\"noopener noreferrer\">information classification<\/a>, and <a href=\"https:\/\/advisera.com\/27001academy\/documentation\/risk-assessment-table\/\" target=\"_blank\" rel=\"noopener noreferrer\">perceived risks<\/a>).<\/li>\n<li>Information gathered during background checks must be handled and protected according to relevant laws, regulations, and ethics.<\/li>\n<\/ul>\n<h2>Good background practices mean better security and performance<\/h2>\n<p>Hiring someone to work for your organization may be the most critical aspect of the business, because no matter how good your processes, equipment, resources, and systems are, all of them will be in the hands of those you will hire. In the wrong hands, even the best tool can be useless or used to cause damage.<\/p>\n<p>By performing background checks according to ISO 27001 requirements, you can minimize the risks of poor performance and the compromising of critical information from the organization.<\/p>\n<p><span class=\"notion-enable-hover\" data-token-index=\"0\"><em>To learn how to comply with ISO 27001, while also implementing privacy and cybersecurity controls,<\/em>\u00a0<\/span><a class=\"notion-link-token notion-focusable-token notion-enable-hover\" tabindex=\"0\" href=\"https:\/\/advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener\" data-token-index=\"1\"><span class=\"link-annotation-unknown-block-id-1092142182\">sign up for a 14-day free trial<\/span><\/a><span class=\"notion-enable-hover\" data-token-index=\"2\">\u00a0<em>of Conformio, the leading ISO 27001 compliance software.<\/em><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update 2022-03-16. \u201cThe human factor is the weakest link in the security.\u201d How many times have we already heard this sentence? How many stories have we already heard about security incidents caused by human failure or inaction? In an effort to minimize this situation, organizations all around the world have been working hard to make &#8230;<\/p>\n","protected":false},"author":41,"featured_media":13448,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[381,1664,1665],"class_list":["post-13446","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-iso-27001","tag-human-resources-security","tag-background-checks"],"acf":[],"_links":{"self":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/13446","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/41"}],"replies":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=13446"}],"version-history":[{"count":1,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/13446\/revisions"}],"predecessor-version":[{"id":103219,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/13446\/revisions\/103219"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/13448"}],"wp:attachment":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=13446"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=13446"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=13446"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}