# 3. Human Resource Security #### This category addresses the need to ensure that employees, contractors, and third-party users understand their information security responsibilities and are suitable for the roles they are considered for. It covers security measures that should be taken during the pre-employment, employment, and termination or change of employment phases to protect the organization's information assets. ## **Controls (A.7):** * **A.7.1.1:** Screening * **A.7.1.2:** Terms and Conditions of Employment * **A.7.2.1:** Management Responsibilities * **A.7.2.2:** Information Security Awareness, Education, and Training * **A.7.2.3:** Disciplinary Process * **A.7.3.1:** Termination or Change of Employment Responsibilities ### **Control A.7.1.1: Screening** **Audit Questions:** * Are background checks conducted on all new hires and contractors? * What criteria are used for screening employees based on their role and access level? * Can you provide evidence of recent screenings? **Common Non-Conformities (NC):** * Lack of documented screening procedures. * Inconsistent application of background checks. * Insufficient screening criteria. ### **Control A.7.1.2: Terms and Conditions of Employment** **Audit Questions:** * Are information security responsibilities included in the terms and conditions of employment? * How are these terms communicated and enforced? **Common Non-Conformities (NC):** * Information security responsibilities not included in employment terms. * Employees unaware of their information security responsibilities. * Lack of enforcement of these terms. ### **Control A.7.2.1: Management Responsibilities** **Audit Questions:** * How do managers ensure that employees understand and fulfill their information security responsibilities? * Are there regular reviews of employee performance related to information security? **Common Non-Conformities (NC):** * Managers not held accountable for ensuring employee compliance with information security. * Lack of performance reviews related to information security. ### **Control A.7.2.2: Information Security Awareness, Education, and Training** **Audit Questions:** * Are employees provided with regular information security awareness and training programs? * How is the effectiveness of these programs measured? **Common Non-Conformities (NC):** * No regular information security training programs. * Training programs not tailored to specific roles and responsibilities. * Lack of measurement of training effectiveness. ### **Control A.7.2.3: Disciplinary Process** **Audit Questions:** * Is there a documented disciplinary process for information security breaches? * How is this process communicated to employees? **Common Non-Conformities (NC):** * Lack of a documented disciplinary process. * Employees unaware of the consequences of information security breaches. * Inconsistent application of disciplinary measures. ### **Control A.7.3.1: Termination or Change of Employment Responsibilities** **Audit Questions:** * What procedures are in place for ensuring the secure termination or change of employment? * Are there documented processes for revoking access and retrieving company assets? **Common Non-Conformities (NC):** * Lack of procedures for secure termination or change of employment. * Access not revoked promptly. * Company assets not retrieved in a timely manner.