3. Human Resource Security
This category addresses the need to ensure that employees, contractors, and third-party users understand their information security responsibilities and are suitable for the roles they are considered for. It covers security measures that should be taken during the pre-employment, employment, and termination or change of employment phases to protect the organization's information assets.
Controls (A.7):
A.7.1.1: Screening
A.7.1.2: Terms and Conditions of Employment
A.7.2.1: Management Responsibilities
A.7.2.2: Information Security Awareness, Education, and Training
A.7.2.3: Disciplinary Process
A.7.3.1: Termination or Change of Employment Responsibilities
Control A.7.1.1: Screening
Audit Questions:
Are background checks conducted on all new hires and contractors?
What criteria are used for screening employees based on their role and access level?
Can you provide evidence of recent screenings?
Common Non-Conformities (NC):
Lack of documented screening procedures.
Inconsistent application of background checks.
Insufficient screening criteria.
Control A.7.1.2: Terms and Conditions of Employment
Audit Questions:
Are information security responsibilities included in the terms and conditions of employment?
How are these terms communicated and enforced?
Common Non-Conformities (NC):
Information security responsibilities not included in employment terms.
Employees unaware of their information security responsibilities.
Lack of enforcement of these terms.
Control A.7.2.1: Management Responsibilities
Audit Questions:
How do managers ensure that employees understand and fulfill their information security responsibilities?
Are there regular reviews of employee performance related to information security?
Common Non-Conformities (NC):
Managers not held accountable for ensuring employee compliance with information security.
Lack of performance reviews related to information security.
Control A.7.2.2: Information Security Awareness, Education, and Training
Audit Questions:
Are employees provided with regular information security awareness and training programs?
How is the effectiveness of these programs measured?
Common Non-Conformities (NC):
No regular information security training programs.
Training programs not tailored to specific roles and responsibilities.
Lack of measurement of training effectiveness.
Control A.7.2.3: Disciplinary Process
Audit Questions:
Is there a documented disciplinary process for information security breaches?
How is this process communicated to employees?
Common Non-Conformities (NC):
Lack of a documented disciplinary process.
Employees unaware of the consequences of information security breaches.
Inconsistent application of disciplinary measures.
Control A.7.3.1: Termination or Change of Employment Responsibilities
Audit Questions:
What procedures are in place for ensuring the secure termination or change of employment?
Are there documented processes for revoking access and retrieving company assets?
Common Non-Conformities (NC):
Lack of procedures for secure termination or change of employment.
Access not revoked promptly.
Company assets not retrieved in a timely manner.
Last updated