Morland-Austin IT GRC Knowledge Base

Human Resources Security

IT GRC Knowledge Base » IT Governance Management » Information Security Management Systems and ISO 27002 Standards » Human Resources Security

This article provides an overview of, and overlap between human resources, process and information security as part of  ISO 27002 compliance.

The objective is to:

  1. Ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.
  2. Ensure that employees and contractors are aware of and fulfil their information security responsibilities.
  3. Protect the organisation’s interests as part of the process of changing or terminating employment.

Prior to employment:

  1. Screening – background verification checks on all candidates for employment should be carried out in accordance with relevant laws, regulations and ethics and should be aligned with business requirements, the classification of the information to be accessed and the associated risk.
  2. Terms and Conditions of Employment – The contractual agreements with employees and contractors should clearly specify their and the organisation’s responsibilities for information security.
  3. The contractual obligations for employees or contractors should reflect the organisation’s policies for information security.

During Employment:

  1. Management responsibilities – management should require all employees and contractors to apply information security in accordance with the established policies and procedures of the organisation.
    Information security awareness, education and training – all employees and contractors should receive appropriate awareness training and regular updates of information security policies and procedures, as relevant for their job function.
  2. Disciplinary process – there should be a formal disciplinary process in place to take action against employees who have committed an information security breach. This should be clearly and regularly communicated.

Termination and change of employment:

  1. Control – information security responsibilities and duties that remain valid after termination or change of employment should be defined, communicated to the employee or contractor and enforced.
  2. Guidelines – the communication of termination responsibilities should include on-going information security requirements and legal responsibilities and, where appropriate, responsibilities contained within any confidentiality agreement and the terms and conditions of employment continuing for a defined period after the end of the employee’s or contractor’s employment.

For more information please contact Morland-Austin at info@morland-austin.com.