ISO 27001 People Controls: Implementing Key Information Security Practices from Hiring to Offboarding

A.6.1 Screening

The objective of the requirements in this subsection is to ensure that your candidates (employees and contractors) understand their responsibilities if they get the role and are suitable for the job they are being considered for.

To achieve this, you need to have planned well and be clear what the responsibilities are. This can be done with a well-developed job description, which along with responsibilities, outlines the skills and experience that is required. You can use this as a screening tool for candidates to make sure that they have skills that will enable them to perform the tasks required for the job.
It will also be discussed in detail at the interview so that you a clear with the responsibilities. Independently checking what they say in the interview can be verified through interviews with referees. 

Depending on the industry you work in, it is also important to ensure any checks which are required by regulators are performed. These can include police checks, licenses, visa checks for staff who are international citizens.

A.6.2 Terms and conditions of employment

Your Individual Employment Agreements (IEA) and Contractor Agreements need to be in order too. A good place to start is to have your employment contract and agreements for any contractors reviewed by your lawyers, or other appropriate people to include specific details around information security. 

These should include for rules and expectations around handling of company data, which includes any PII, customer data, and importantly your company’s intellectual property. You should also include any actions which may be taken because of any breach of these rules and expectations.

A.6.3 Information security awareness, education and training

The objective of this section is that during their employment both employees and contractors are aware of and fulfil their information security responsibilities.  This can be done in multiple ways.

Firstly, start with a strong induction programme. Update your induction system to include information security. Depending on your system you will cover all of your polices, management of assets, access to systems, access to buildings, password strength, malware, backups, software controls, networks, purchasing, incidents and business continuity. Including these items on your induction checklist is a really good idea.

Next, implement an on-going training and education programme for all your staff. Cover those items listed above. This is an ongoing process. One-off training and education sessions are generally not good enough as people will forget after a period. Creating a programme where staff are constantly reminded of data security will keep it front of mind and help them build good habits to protect themselves. This type of programme also keeps staff aware of the latest emerging threats in what is a fast-moving industry. 
You can do this by including education items during any all staff or team meetings you have scheduled. Then, you can record the training / education as being completed for the employees who attended.

A.6.4 Disciplinary process

There should be consequences for breaches of the information security policy to deter and appropriately deal with staff, contractors or other interested parties who breach them. 

This can be incorporated into any existing disciplinary process you have, and should take into consideration, the nature and severity of the breach and its consequences, whether it was intentional, a first or repeat offence and whether the person(s) were properly trained.

A.6.5 Responsibilities after termination or change of employment

This is a frequently overlooked area of information security and should be addressed in a twofold approach.

When an employee or a contractor leaves or changes roles, your systems need to cover:

• What happens to the integrity of your systems? 
• What access rights need to change?
• Do passwords need to change?
• Do you change access codes on buildings or areas?
• What happens to mobile device data?
• And more...

There are plenty of things to oversee to ensure that your systems are not compromised. These can be incorporated into your processes to ensure that you have a documented, thought out approach to risks when someone leaves a role.

The second consideration is to ensure that the staff or contractors who are leaving are aware of their responsibilities which were signed as part of their contract, which may include non-competitive clauses to protect your IP, and more importantly confidentiality and non-disclosure agreements which we will talk about now…

A.6.6 Confidentiality or non-disclosure agreements

The objective here is to maintain the security of information transferred within your organisation and with any external entity by ensuring that you have appropriate confidentiality and non-disclosure agreements in place.

These should be in place with both employees and contractors and also any other interested parties such as suppliers who may need to access to your information. The requirements contained in the agreement should consider the types and classification (from A.5.12 which was covered in a previous blog) of information that will be handled.

A.6.7 Remote working

The increasing use of remote workers in business can be a reasonably significant risk to business. For remote-working staff here you should review and update your policies and procedures for keeping them secure and well protected. 
A few things you can do to enhance security of remote workers and their devices are:

1. Increase the strength of passwords
2. Move to 2-factor authentication
3. Regularly update the apps
4. Check the application privacy

A.6.8 Information security event reporting

In ISO 27002 the definition of an information security events is “identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of controls, or a previously unknown situation that may be security relevant”.

So those events need to be reported through appropriate management channels as quickly as possible. Not all security events are incidents, so you need to treat them cautiously as in time they may become an incident. A real world example of the differentiation was discussed in "When systems fail: what a global outage teaches us about cyber security and quality".

For example, in Australian the ACSC sends out alerts about known security issues. CERTNZ do similar in New Zealand. If you subscribe to these, relevant staff should be notified of these events, and they can be logged as an Information Security Event within your system.

Internally, your employees and contractors are required to note and report any observed or suspected information security weaknesses in systems or services.

As hackers and malware are becoming more and more cunning your employees and contractors need to always be alert to strange behaviour or weaknesses.  Anything suspicious needs to be reported even if there is no issue. 

These should be discussed at relevant levels between relevant teams at periodic meetings to ensure that they are aware of the new events and how to identify them.

Takeaways

We covered a lot in this article. Some of the key items to note are:

1. Have well thought out job descriptions for the roles within your organisation which can be used when screening candidates.
2. Ensure that your data security expectations and rules are outlined in contracts. These should be backed up by a disciplinary process which is communicated to them. 
3. Organise an ongoing information security awareness programme to keep employees up to date with best practice security actions and keep it front of mind to create a data security culture.
4. With the advent of remote working or staff taking assets with access to your systems remotely, ensure that these risks have been considered and appropriate controls in place to mitigate them.
5. Implement a process where employees can report data security events which can be investigated.

• View the previous post in the series: Practical Steps for Policy Compliance and ISMS Independent Review in Controls A.5.35 – A.5.37
• View the next post in the series: Best Practices for Physical ISMS Protection in Controls A.7.1 - A.7.5