ISO 27001 – Spotlight on Human Resource Security

Here we will shine a spotlight on the Human Resource Security component of the ISO 27001 Information Security Management standard. For context, ISO 27001 is divided into 14 domains, with our focus topics in bold:

Human Resource Security

1. Information security policies
2. Organization of information security
3. Human resource security
4. Asset management
5. Access control
6. Cryptography
7. Physical and environmental security
8. Operations security
9. Operations security
10. System acquisition, development, and maintenance
11. Supplier relationships
12. Information security incident management
13. Information security aspects of business continuity management
14. Compliance

Domain 3: Human Resource Security

This domain ensures that Information Security requirements are embedded in all three phases of Human Resource Management:

• Phase 1 – Prior to Employment
• Phase 2 – During Employment
• Phase 3 – Termination and Change of Employment Responsibilities

The requirement of Human Resource Security extends to direct employees and contractors/consultants, whether permanent, temporary or part-time, or simply put, anyone working for the company.

Human Resource Security Phase 1- Prior to Employment

The Information Security requirement during the recruiting/hiring process is to for the organization be certain of 2 things, with confidence and evidence:

• Everyone hired has the competence required to fulfill their role, and
• Everyone in the organization has a clear understanding of their responsibilities

There are 2 Controls that apply to the pre-employment phase:

1. During Screening of candidates, Background checks (within legal and ethical boundaries) need to take into consideration a candidate’s suitability for the role and suitability for accessing the classification/level of information required by the role, and the related risks.
   • For this the company should provide the requirement through a job requisition form. This will provide the job description, skills needed for the job, experience, budget for the role, expected date of joining and other important points to ensure that the Human resource team is focused on finding the candidate that is most suitable for the job.
   • The company should also run a background check for selected candidates to ensure they do not posses any risk for the company especially in regard to the data security. If a candidate has tweaked the number of years in the year then it can affect the decision making process or other abilities while handling the role and responsibilities. On the other hand, if any of the chosen candidate has a criminal background then it can affect the security of company’s data and employees well being.
2. Contractual Terms and Conditions of Employment need to clearly outline the employee/contractor’s responsibilities AND the employer’s responsibilities for Information Security.
   • The company should outline roles and responsibilities of the job awarded to the candidate. Accordingly, a training should be provided in accordance to the training management wherein the effectiveness of the training should be checked within 14 to 30 days of the date of training provided.
   • Based on trainings, the company should also keep all training records in place and should provide refresher training on timely basis to ensure employees are aware about their responsibilities towards the information security management system.

Through this the company can ensure that they are hiring only those candidates who have the ability of fulfilling the duties and can provide the accessibility to the information as per defined level.

Human Resource Security Phase 2- During Employment

The Information Security requirements during employment are designed to make sure anyone working for an organization; i) knows the company’s Information Security Policy, ii) knows their responsibilities for Information Security, and iii) are fulfilling their responsibilities for Information Security.

There are 3 controls that apply during this phase of employment cycle:

1. Anyone working for an organization is required to use or apply the company’s Information Security policies and procedures in doing their job.
   For this the company should share policies and procedures of their respected department to ensure all employees are fully aware about the information security management system. Apart from this, the company should also provide the refresher training on security management system on periodic basis.
2. The organization must have an active Information Security Awareness and Training program and policy in place. This program and policy must makes certain that anyone working for the organization is;
   1. ) aware of the Info Sec policies and procedures,
   2. ) knows how to use them in their job, and
   3. ) Is kept up to date on any changes to the policies or procedures.
      For this the company can conduct an internal audit on periodic basis to check the awareness among employees, whether they are aware about related policies and procedures or not. Focus should be given on the policies and procedures to check whether the material is effective for the data security or not.
3. The organization must have a disciplinary process in place to deal with any Information Security breach committed by anyone working for them.
   There should be a PIP (performance improvement plan) to ensure if any employee is not effectively implementing any security policy and procedure then it can be used. Under this the company can put the employee on a plan through which needed resources can be provided in addition to a objective for the employee in implementing the procedure. After all attempts, If the employee is still not able to implement it then the company can take a disciplinary action. In the case of security breach, the company can bypass the PIP and can follow the disciplinary process to deal with the situation.

With the above controls, the company can ensure skills and expertise of all employees are continually improved and can match with security objectives of the company.

Human Resource Security Phase 3 – Termination and Change of Employment Responsibilities

Needing to deal with access to information by someone who is no longer working for an organization is a given and obvious requirement. We need to cut off all access to all information and premises, usually with immediate effect. On the other hand, how to deal with someone changing jobs within the organization can be less obvious. Particularly for small and medium size enterprises. Knowing ‘when’ an employee needs access to ‘more’ or ‘more sensitive’ information is usually straight forward. Knowing ‘when’ they no longer need access to that information can be tricky, as responsibilities tend to ‘evolve’ more often than a wholesale change in responsibilities.

For that reason, the 27001 requirement for this topic simplifies this to one simple control:

Any Information Security responsibilities and duties that are NOT removed after a termination or internal job change must be communicated to the individual and enforced.

It simplifies the organization’s responsibilities, providing they know exactly what the individual has access to – but that’s a whole other topic.

About T-Next:

T-Next (TranscendNext Quality Management Inc.) is a Burlington ON based Quality Management consultancy with expertise in navigating the sea of global standards and working with clients to select, implement and gain certification in the standards most beneficial to their business.

To contact us:

email [email protected]

Call us at 1 888 517 3335

Michael Blazevic is a Business and Technology professional and executive with a background managing global teams and business functions in tier 1 organizations and implementing bottom-line focused Quality Management solutions in complex environments.