search

3. Human Resource Security

hashtag
This category addresses the need to ensure that employees, contractors, and third-party users understand their information security responsibilities and are suitable for the roles they are considered for. It covers security measures that should be taken during the pre-employment, employment, and termination or change of employment phases to protect the organization's information assets.

hashtag
Controls (A.7):

  • A.7.1.1: Screening

  • A.7.1.2: Terms and Conditions of Employment

  • A.7.2.1: Management Responsibilities

  • A.7.2.2: Information Security Awareness, Education, and Training

  • A.7.2.3: Disciplinary Process

  • A.7.3.1: Termination or Change of Employment Responsibilities

hashtag
Control A.7.1.1: Screening

Audit Questions:

  • Are background checks conducted on all new hires and contractors?

  • What criteria are used for screening employees based on their role and access level?

  • Can you provide evidence of recent screenings?

Common Non-Conformities (NC):

  • Lack of documented screening procedures.

  • Inconsistent application of background checks.

  • Insufficient screening criteria.

hashtag
Control A.7.1.2: Terms and Conditions of Employment

Audit Questions:

  • Are information security responsibilities included in the terms and conditions of employment?

  • How are these terms communicated and enforced?

Common Non-Conformities (NC):

  • Information security responsibilities not included in employment terms.

  • Employees unaware of their information security responsibilities.

  • Lack of enforcement of these terms.

hashtag
Control A.7.2.1: Management Responsibilities

Audit Questions:

  • How do managers ensure that employees understand and fulfill their information security responsibilities?

  • Are there regular reviews of employee performance related to information security?

Common Non-Conformities (NC):

  • Managers not held accountable for ensuring employee compliance with information security.

  • Lack of performance reviews related to information security.

hashtag
Control A.7.2.2: Information Security Awareness, Education, and Training

Audit Questions:

  • Are employees provided with regular information security awareness and training programs?

  • How is the effectiveness of these programs measured?

Common Non-Conformities (NC):

  • No regular information security training programs.

  • Training programs not tailored to specific roles and responsibilities.

  • Lack of measurement of training effectiveness.

hashtag
Control A.7.2.3: Disciplinary Process

Audit Questions:

  • Is there a documented disciplinary process for information security breaches?

  • How is this process communicated to employees?

Common Non-Conformities (NC):

  • Lack of a documented disciplinary process.

  • Employees unaware of the consequences of information security breaches.

  • Inconsistent application of disciplinary measures.

hashtag
Control A.7.3.1: Termination or Change of Employment Responsibilities

Audit Questions:

  • What procedures are in place for ensuring the secure termination or change of employment?

  • Are there documented processes for revoking access and retrieving company assets?

Common Non-Conformities (NC):

  • Lack of procedures for secure termination or change of employment.

  • Access not revoked promptly.

  • Company assets not retrieved in a timely manner.

Previous2. Organization of Information SecurityNext4. Asset Management

Last updated