top of page

ISO 27001 Control 6.1: Screening

Writer's picture: Alan ParkerAlan Parker

Personnel Screening for Information Security Overview

Conducting thorough background verification checks is a critical step in ensuring the security of an organisation. This control ensures that all personnel are eligible and suitable for their roles, mitigating risks to sensitive information and maintaining trust across operations. It further helps organisations foster a culture of accountability and reduce the likelihood of insider threats or operational disruptions caused by unsuitable hires.


Purpose

The purpose of personnel screening is to confirm that individuals employed by the organisation are trustworthy, competent, and suitable for their roles. This verification process safeguards the organisation’s information assets and ensures compliance with legal, ethical, and business requirements. Furthermore, it helps organisations maintain regulatory compliance and uphold their reputation by ensuring that all staff meet the required standards of conduct and competence.


Guidance

Screening Process

A screening process should be implemented for all personnel, including full-time, part-time, and temporary staff. If these individuals are supplied by third-party contractors, screening requirements must be included in the contractual agreements with suppliers. Organisations should treat this process as a foundational layer of their risk management strategy, ensuring consistency and fairness across all recruitment practices.


The screening process should consider the following:

  • Applicable laws, regulations, and ethical considerations to ensure the process respects candidates’ rights.

  • The classification of information the individual will access, tailoring the screening to the sensitivity of the role.

  • The perceived risks associated with the role, including potential impacts on operations, finances, and compliance.


Key Screening Activities

When conducting background verification, organisations should consider the following, in compliance with relevant privacy, PII protection, and employment legislation:

  1. References: Obtain satisfactory business and personal references. References can provide insights into the candidate’s work ethic, reliability, and suitability for the position.

  2. CV Verification: Ensure the accuracy and completeness of the applicant’s curriculum vitae. This includes verifying employment history and any gaps in employment.

  3. Qualifications: Verify academic and professional qualifications to confirm that the candidate possesses the necessary expertise for the role.

  4. Identity Verification: Independently confirm the applicant’s identity through official documents (e.g., passport or government-issued ID). This ensures the person’s legitimacy.

  5. Detailed Checks: For critical roles, conduct additional verification such as criminal record checks or credit reviews, where permitted by law. Such checks are especially important for roles involving access to sensitive or financial information.


Information Security Roles

For information security-specific roles, organisations should ensure that:

  • The candidate possesses the required competence to fulfil the responsibilities of the role, including technical knowledge and familiarity with security standards.

  • The candidate can be trusted to handle sensitive or critical information, demonstrating integrity and reliability.

If the role involves access to information processing facilities or handling confidential data (e.g., financial, personal, or healthcare information), more detailed verification checks should be carried out. These measures minimise the risk of accidental or malicious data breaches.


Screening Procedures

Screening procedures should outline:

  • Criteria and limitations for verification checks, ensuring consistency across all roles.

  • Eligibility of personnel authorised to conduct screening, ensuring checks are performed by qualified individuals.

  • When and why verification reviews are performed, aligning with organisational policies and risk tolerance.


In cases where verification cannot be completed in a timely manner, mitigating controls should be implemented, such as:

  • Delayed Onboarding: Postponing the candidate’s start date until verification is complete.

  • Restricted Asset Deployment: Ensuring corporate devices and systems are not issued prematurely.

  • Limited Access: Providing only minimal or supervised access to organisational systems and data.

  • Termination of Employment: If verification uncovers concerns, employment may need to be terminated to protect the organisation.


Ongoing Screening

Periodic verification checks should be conducted to ensure the ongoing suitability of personnel. The frequency of these checks should align with the criticality of the individual’s role and their access to sensitive information. Regular screening reinforces trust and ensures that personnel continue to meet the organisation’s standards.

For critical roles, consider conducting annual checks or initiating re-screening during promotions or changes in job responsibilities. This proactive approach helps address evolving risks and ensures that personnel are prepared for new challenges in their roles.


Benefits of Screening

A robust screening process provides significant benefits, including:

  • Reduced Risk Exposure: By identifying unsuitable candidates before they join, organisations minimise potential insider threats and operational vulnerabilities.

  • Improved Compliance: Meeting legal and regulatory requirements for hiring practices fosters trust with stakeholders and regulatory bodies.

  • Enhanced Organisational Security: A vetted workforce ensures that information assets remain secure and that employees understand their role in maintaining security standards.


Conclusion

Personnel screening is a preventive control that safeguards the organisation from potential security risks. By implementing robust screening processes and periodic reviews, organisations can maintain a high standard of trust and integrity in their operations while protecting sensitive information. Screening contributes to creating a secure and efficient working environment, ensuring that all personnel align with the organisation’s values and objectives. Organisations that prioritise thorough screening practices demonstrate their commitment to long-term security, compliance, and operational success.

Comments


About the author

Alan Parker is an IT consultant and project manager who specialises in IT governance, process implementation, and project delivery. With over 30 years of experience in the industry, Alan believes that simplifying complex challenges and avoiding pitfalls are key to successful IT management. He has led various IT teams and projects across multiple organisations, continually honing his expertise in ITIL and PRINCE2 methodologies. Alan holds a degree in Information Systems and has been recognised for his ability to deliver reliable and effective IT solutions. He lives in Berkshire, UK, with his family.

bottom of page