When organisations think about Information Security and what things need to be in place to achieve their ISO27001 Information Security Management System (ISMS) certifications for some reason they mostly forget about the Human Resources function. That is a little strange when you think about it, your relationship with employees and contractors for that matter starts before they physically start with your organisation so why shouldn't your information security processes start there as well? That should also lead you wonder when they should end as well, which must be after they leave the organisation, which is the span that this clause covers.
A7.1 - Prior to Employment
For many organisations there is pre-employment activities that go on from interviews to a myriad testing and references. This is what clause A7.1 is looking to cover off by ensuring that all of your candidates for employment or contractors understand their obligations and responsibilities with respect to your ISMS even before they start with your organisation. It is looking for you to ensure they are suitable for the role that you are recruiting for in that respect. There are 2 sub sections to this annex clause:
- A7.1.1 Screening – which requires you to take appropriate steps in terms of carrying background checks of the candidate. They should be proportional to the size of the company and of course the role. The checks you would do for a new Chief Information Security Office are not the same as you would do for a new receptionist since they will have very different access to very different data.
- A7.1.2 Terms and conditions of employment – The standard is very clear that you need to state the new employee or contractor and the organisation's responsibilities for information security within their contractor of employment. It ensures that everyone is clear on who is responsible for what.
A.7.2 During employment
Now that you have hired someone your information security processes do not stop, in fact they ramp up even more. This clause is set up to ensure that the employees and contractors are fully aware of the information security responsibilities during their time of employment. There are 3 sub sections to this annex clause:
- A.7.2.1 Management responsibilities – this subclause is about the responsibility of the management of the organisation to set out the expectation that they require all employees and contractors to follow the policies and procedures with respect to information security that the company has set up. This needs to be more than a line on a policy or in the contract it needs to be repeated from the induction all the way throughout the employment term.
- A7.2.2 Information security awareness, education and training – This sub clause sets out a clear requirement to ensure that you have the appropriate level of training for information security for all employees. It also requires that training to eb on going so yes it needs to be included in your induction program, but it also needs to be refreshed during their employment period and of course needs to be tailored to their specific job role. If you have not reviewed how good your induction program is, now is a great time to really start thinking about it, a solid induction program is always going to be worth its weight in gold.
- A7.2.3 Disciplinary process – Nobody seems to like to talk about the disciplinary process, certainly not when people start with your organisation, but you should, it makes it really clear up front the consequences of not playing by the rules of the organisation or the law. Of course, a disciplinary process is only any good if you follow through with it and apply it equally at all levels of your organisation. This subclause requires you to have a formal disciplinary process in place for any type of information security breach, as you would expect it needs you to clearly communicate that to your employees (think inductions, reviews, team meetings etc). Since you have a documented formal process there is the expectation that it will be carried out, that will be audited come certification time.
A7.3 Termination and change of employment.
The aim of this last clause is to really ensure that the organisation and its information are protected if someone changes role or leaves the organisation. How often have you found someone on the email list or with access to a system that no longer works in a company or have moved roles so their access should have changed? It's easy to overlook things but the standard requires you to have processes in place to ensure that someone stops having access to information as soon as they no longer have a right to access it, that seems obvious, yet it gets forgotten about. Passwords need to be changed, access rights terminated and building access revoked for a start. What companies and former employees or contractors also forget about is that their information security responsibilities do not stop when they leave the company.
- A7.3.1 Termination or change of employment responsibilities – this clause is squarely aimed at ensuring both the organisation and the employee or contractor fully understand that they both have a responsibility to maintain the information security policy and procedure requirements after an employee has left or changed role. To do this the sub clause requires that you document and communicate these requirements to the employee or contractor and that you enforce them as well.
The Human resource requirements annex for your ISO27001 Information Security Management System is probably one of the best defined in the standard. That is because these 3 sections are critical to how well your information security management system is going to work. If you do not inform people of what their responsibilities are and the consequences of not following your policy and procedures, then the outcome you get is the outcome you have set yourself up for.