ISO 27001 Information Security Management Standard

Part 26 - A7 Human Resource Security

This clause of Annex A is probably the best structured of all the requirements listed in the Annex. It details the management system requirements for employees and contractors prior to their employment, during their employment and after their employment.

It covers all those HR tasks like recruitment, agreements, awareness, education, training, discipline, change and termination.

I have covered a lot of this territory previously in part 19 “Clauses 7.1 – 7.4 Resources, Competence, Awareness and Communication”. Go back and read that blog because it describes nicely many of the requirements listed here.

A.7.1 Prior to employment

Let's start with Recruitment.

The objective of the requirements in this subsection is to ensure that your candidates (employees and contractors) understand their responsibilities if they get the role and are suitable for the job they are being considered for.

Therefore you need to have planned well and be clear what the responsibilities are. This can be done with a well-developed job description.

You can use this as a screening tool for candidates.

It will also discussed in detail at the interview so that you a clear with the responsibilities.

Don’t forget to get your Individual Employment Agreements (IEA) and Contractor Agreements in order too.

Here at Mango we had our standard IEA template and Contractor’s Agreement updated by our lawyers to include specific details around information security. I suggest that you do the same.

A.7.2 During employment

The objective of this section is that during their employment both employees and contractors are aware of and fulfil their information security responsibilities. This will be done in multiple ways.

Firstly start with a strong induction programme. Update your induction system to include information security. Depending on your system you will cover all your polices, management of assets, access to systems, access to buildings, password strength, malware, backups, software controls, networks, purchasing, incidents and business continuity.

Here at Mango we updated our induction checklist to include these items.

Next, implement an on-going training and education programme for all your staff. Cover those items listed above. This is an ongoing process. One-off training and education sessions won’t cut it.

Here at Mango we have monthly Management Review meeting with all staff. During those sessions we always incorporate some education and training on information security. This education is then recorded in Mango as professional development for each employee.

A.7.3 Termination and change of employment

This is an often overlooked area of information security. When an employee or a contractor leaves or changes roles, your systems need to cover:

What happens to the integrity of your systems?
What access rights need to change?
Do you change passwords?
Do you change pass-codes on buildings?
What happens to mobile device data?
And on and on ...

There are plenty of things to oversee to ensure that your systems are not compromised.

Takeaways

Update your individual employment agreements and contractor agreements with information security at the core of the agreements.
Create an information security training and education plan for your staff. Make sure you are consistent with delivering the plan.
Try and include information security into your business-as-usual tasks like, management meetings, review meetings, company newsletters etc. and treat them as educational or training events.
Develop some robust systems for when your employees or contractors either change roles are terminated.

View previous blogs in this series "ISO 27001 Information Security Management Standard":

Part 1 - Reasons why you need to meet this standard

Part 2 - Principle 1 - Analysing the Protection of Your Information and then Applying Controls

Part 3 - Principle 2 - Awareness of the Need for Information Security

Part 4 - Principle 3 - Assignment of Responsibility for Information Security

Part 5 - Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders

Part 6 - Principle 5 - Enhancing Societal Values

Part 7 - Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk

Part 8 - Principle 7 - Security incorporated as an essential element of information networks and systems

Part 9 - Principle 8 - Active prevention and detection of information security incidents

Part 10 - Principle 9 - Ensuring a comprehensive approach to information security management

Part 11 - Principle 10 - Continual reassessment of information security and making of modifications as appropriate