The basics
ISO 27001 control A.6.1 Screening requires companies to conduct background checks of employees and third-party personnel on an ongoing basis in accordance with applicable laws and regulations, in order to employ only trusted people.
Documentation
ISO 27001 control A.6.1 Screening can be documented:
- for smaller companies by defining in the Statement of Applicability (SoA) who is responsible for checking company’s job candidates and applied method (i.e., no separate document is needed)
- for mid-sized and larger companies by writing a Screening Procedure.
These documents are not mandatory, but are recommended.
Implementation
In order to comply with control A.6.1 Screening you might implement the following:
- Technology — the technology to enable the background check of job candidates, or external suppliers, may include Internet access to social networks, professional associations, and legal authorities, within the applicable legal limits.
- Organization/processes — you should set up a process for defining who is in charge of performing background checks, for which jobs, and in which circumstances. You can document those processes through a Screening Procedure or a Supplier Security Policy.
- People — make employees aware of why performing background checks is needed, and train employees on how and when to perform them.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.6.1 Screening: if background checks are performed on job candidates and currently hired personnel, considering business and legal requirements.
