Part 26 - A7 Human Resource Security
This clause of Annex A is probably the best structured of all the requirements listed in the Annex. It details the management system requirements for employees and contractors prior to their employment, during their employment and after their employment.
It covers all those HR tasks like recruitment, agreements, awareness, education, training, discipline, change and termination.
I have covered a lot of this territory previously in part 19 “Clauses 7.1 – 7.4 Resources, Competence, Awareness and Communication”. Go back and read that blog because it describes nicely many of the requirements listed here.
A.7.1 Prior to employment
Let's start with Recruitment.
The objective of the requirements in this subsection is to ensure that your candidates (employees and contractors) understand their responsibilities if they get the role and are suitable for the job they are being considered for.
Therefore you need to have planned well and be clear what the responsibilities are. This can be done with a well-developed job description.
You can use this as a screening tool for candidates.
It will also discussed in detail at the interview so that you a clear with the responsibilities.
Don’t forget to get your Individual Employment Agreements (IEA) and Contractor Agreements in order too.
Here at Mango we had our standard IEA template and Contractor’s Agreement updated by our lawyers to include specific details around information security. I suggest that you do the same.
A.7.2 During employment
The objective of this section is that during their employment both employees and contractors are aware of and fulfil their information security responsibilities. This will be done in multiple ways.
Firstly start with a strong induction programme. Update your induction system to include information security. Depending on your system you will cover all your polices, management of assets, access to systems, access to buildings, password strength, malware, backups, software controls, networks, purchasing, incidents and business continuity.
Here at Mango we updated our induction checklist to include these items.
Next, implement an on-going training and education programme for all your staff. Cover those items listed above. This is an ongoing process. One-off training and education sessions won’t cut it.
Here at Mango we have monthly Management Review meeting with all staff. During those sessions we always incorporate some education and training on information security. This education is then recorded in Mango as professional development for each employee.
A.7.3 Termination and change of employment
This is an often overlooked area of information security. When an employee or a contractor leaves or changes roles, your systems need to cover:
- What happens to the integrity of your systems?
- What access rights need to change?
- Do you change passwords?
- Do you change pass-codes on buildings?
- What happens to mobile device data?
- And on and on ...
There are plenty of things to oversee to ensure that your systems are not compromised.
Takeaways
- Update your individual employment agreements and contractor agreements with information security at the core of the agreements.
- Create an information security training and education plan for your staff. Make sure you are consistent with delivering the plan.
- Try and include information security into your business-as-usual tasks like, management meetings, review meetings, company newsletters etc. and treat them as educational or training events.
- Develop some robust systems for when your employees or contractors either change roles are terminated.
View previous blogs in this series "ISO 27001 Information Security Management Standard":
Part 1 - Reasons why you need to meet this standard
Part 2 - Principle 1 - Analysing the Protection of Your Information and then Applying Controls
Part 3 - Principle 2 - Awareness of the Need for Information Security
Part 4 - Principle 3 - Assignment of Responsibility for Information Security
Part 5 - Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders
Part 6 - Principle 5 - Enhancing Societal Values
Part 9 - Principle 8 - Active prevention and detection of information security incidents
Part 10 - Principle 9 - Ensuring a comprehensive approach to information security management
Part 12 - ISO 27001 Information Security Management Standard: Clauses 0, 0.1, 0.2, 1, 2 and 3
Part 13 - ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4
Part 14 - ISO 27001 Information Security Management Standard: Clause 5.1
Part 15 - ISO 27001 Information Security Management Standard: Clause 5.2
Part 16 - ISO 27001 Information Security Management Standard: Clause 5.3
Part 17 - ISO 27001 Information Security Management Standard: Clause 6.1
Part 18 - ISO 27001 Information Security Management Standard: Clause 6.2
Part 19 - ISO 27001 Information Security Management Standard: Clauses 7.1 - 7.4
Part 20 - ISO 27001 Information Security Management Standard: Clause 7.5
Part 21 - ISO 27001 Information Security Management Standard: Clauses 8.1, 8.2, 8.3
Part 22 - ISO 27001 Information Security Management Standard: Clauses 9.1, 9.2, 9.3
Part 23 - ISO 27001 Information Security Management Standard: Clauses 10.1, 10.2
Part 24 - ISO 27001 Information Security Management Standard: Clauses A5.1
Part 25 - ISO 27001 Information Security Management Standard: Clauses A6