ISO 27001 - Annex A.7 - Human resource security

What is Annex A.7?

Annex A.7 is the most well-structured of Annex A, and outlines the management system standards for workers and contractors before, during, and after employment. It includes all HR duties such as recruiting, contracts, awareness, education, training, discipline, change, and termination.

The main goal of Annex A.7 is to guarantee that all employees, suppliers, and contractors are qualified for and understand their engagement/job tasks and responsibilities and that access is revoked after the engagement is finished.

Although this may be the overarching goal, each control of Annex A.7 has its own objective.

What is the objective of Annex A.7?

Similar to cyber-attacks, your ISMS may be prone to human resource errors as well. To counter errors, Annex A.7 provides 3 major security controls. They are:

Annex A.7.1: Prior to employment 

This Annex's goal is to guarantee that workers and contractors are aware of their obligations and are fit for the jobs they are being evaluated for. It also covers what happens when employees resign, change roles or are terminated.

To action this, careful planning and a clear understanding of roles and duties are required. Individual Employment Agreements (IEAs) and Contractor Agreements (CAs) can be used to create well-defined job descriptions.

Annex A.7.2: During employment 

This section's goal is to ensure that all workers and contractors understand and fulfil their duties related to information security while on the job. There may be a variety of approaches taken.

Start with a well-structured induction. Integrate the concept of information security into your new employee orientation programme. All your policies, asset management, system access, building access, password strength, malware, backups, software controls, networks, buying, incidents, and business continuity will be covered depending on your system.

Implement a programme of ongoing education and training for your whole workforce next. Cover the above-mentioned topics. This is a continuous effort. It is not enough to conduct one-time training and teaching sessions.

Annex A.7.3 - Termination and change of employment

Annex A.7.3 focuses on termination and job changes. It is the goal of this Annex to safeguard the interests of the organisation during the process of modifying and terminating employment arrangements.

You are required to have mechanisms in place to handle the situation when an employee or contractor quits or changes jobs. The following questions would need to be answered:

• What happens to your systems' integrity?
• Are there any permissions that need to be changed?
• How often do you alter your passwords?
• Have building passwords been altered?
• What happens to information stored on their work devices? And many more.

The core of understanding how to implement Annex A.7 controls is first understanding what human resource security is.

What is human resource security?

The human resource security clause evaluates controls before, during, and after hiring a new employee. Controls include but are not limited to the definitions of roles and duties, recruitment, contract terms and conditions, awareness, education and training, disciplinary processes, and termination of activities.

Return of assets and management of access privileges are also covered by the controls in accordance with ISO/IEC 27001's requirements for human resources security.

What are the Annex A.7 controls?

Now that you have an understanding of what Annex A.7 is and the objectives of its controls let's take a look at the individual controls under each of the major clauses.

A.7.1.1: Screening 

All job applicants should be subjected to background checks and competency assessments as part of a thorough control. According to applicable laws, rules, and ethical standards, these procedures must be carried out in a manner that is proportional to the business needs, the categorization of information that will be accessed, and any potential hazards.

A screening for contractors should also be performed even if the contractor's parent organisation fulfils your larger security measures, such as an ISO 27001 certification and background checks.

A.7.1.2: Terms and conditions of employment

Information security obligations should be explicitly stated in contracts with both employees and contractors. Insist that all parties involved are aware of and familiar with NDAs, legal rights and duties, data processing, and the use of third-party information. It is critical that disciplinary measures are guided by certain policies within the organisation.

A.7.2.1: Management responsibilities

Senior-level management ensures all stakeholders know their information security duties and responsibilities and are driven to perform them. They should establish anonymous means for reporting information security violations. Management buy-ins are crucial for a company's security culture. This is when an outside manager or management team purchases a controlling ownership stake in an outside company and replaces its existing management team.

Additionally, it is the responsibility of managers to ensure that security awareness and conscientiousness are maintained across the organisation and to build an acceptable "security culture."

A.7.2.2: Information security awareness, education and training

All workers and, where necessary, contractors should get adequate awareness, education and training, and frequent updates on organisational rules and procedures.

The training and awareness must be presented in a way that your employees and contractors have the best chance of understanding and following it. This entails paying attention to the content and the medium for delivery. This is important because auditors would want proof of your training and compliance.

A.7.2.3: Disciplinary process

Employees who have violated company information security policies face disciplinary action under a well-defined and stated disciplinary procedure. 

To begin the disciplinary procedure, it must be established that an information security breach has happened first. Employees who are accused of committing data security breaches should undergo a formal disciplinary procedure to guarantee that they are treated fairly.

A.7.3.1: Termination or change of employment responsibilities

The employee's or contractor's terms and conditions of employment should include any responsibilities or tasks that remain in place after the employee or contractor's employment ends. 

Changes in responsibilities or employment should be handled at the end of the present responsibility or job and the commencement of the new one. Also included are the return of company property and the termination of access privileges, including physical access, to avoid security breaches.

Why is human resource security important for your organisation?

By adopting the framework's principles, organisations may maintain a human resources management system that fits their needs and ensures data availability, integrity, and confidentiality.

Additionally, human resource security will prove that you have the ability to:

• Establish a secure human resources management framework.
• Follow the framework and concepts of ISO 27002 in the establishment of human resources security controls in businesses.
• Understand the roles and responsibilities of human resources security management components, such as education, training and termination of activities and hiring and recruiting.
• Assist a company in the implementation and management of ISO/IEC 27002-based human resources security controls.
• Assist organisations in the application of KEY controls before, during, and after the employment of human resources.

Conclusion

Annex A.7 of ISO 27001 aims to improve your organisation’s human resource management and provide the information security you need with regard to your employees.

It is a crucial step of ISO 27001 certification and helps to establish a stronger connection and trust with your customers. If you require assistance in becoming ISO certified or establishing the clauses of Annex A, DataGuard's team of information security experts are ready to guide you through the process.