ISO 27001:2013 A.7 Human resource security

by Pretesh Biswas

In today’s world of digital transformation, mobile business, interconnectivity, and remote workforces, there’s one word that must be top of mind for any organization: Security. Especially when employees and proprietary business data begin to mix. It is not all about malicious hackers or ransomware attacks, either. Here’s the thing, and it’s something that we tend to forget as we go about our busy workdays. Employees are prone to human error. They’re human beings, not machines, after all. Also, with the mainstreaming of BYOD (bring your own device) policies, the window for error widens every day. The average company already uses more than 20 Software as a Service application, including Asana, Dropbox, Skype, Basecamp, and a slew of other cloud-based apps. All of those apps require passwords. Data breaches happen because of the use of “weak, default or stolen passwords.” That’s scary, no matter how large or small your business is.  It also includes  “employee-driven” security mistakes, such as sending sensitive information to the wrong person, not disposing of company information correctly, misconfiguration of IT systems, and lost and stolen laptops and mobile devices. Information security requires ongoing vigilance. Taking active steps to help your teams keep sensitive information safe and secure is vital. Let’s take a look at a few of the most important ones.

The first and most important thing HR departments can do when it comes to Information security is to be proactive rather than reactive. Technology (and the potential for breaches) has entered every facet of business today. It’s not enough to rely on your IT departments to make sure staff are educated about data loss and how to prevent it. You must provide training to educate your employees about their roles in keeping data safe. They need to know what the security protocols are, how to develop and use strong passwords and what to do if they suspect trouble or have misplaced a device that they also use for business. Human Resources professionals are responsible for ensuring that employees comply with security policies that are designed to protect your firm, your clients, and your workforce. Aside from making employees aware of company policies and procedures, HR representatives must work with management to investigate and address any instances involving violations of these rules. The HR department is an essential ally for ensuring that information security policies are correctly presented, documented, communicated, and enforced.


The role of an HR professional in upholding your company’s security policies begins during the staff recruitment process. Legally, you can conduct background checks on prospective hires as long as you gain the consent of those individuals. Pre-employment checks usually include criminal history investigations and credit reports. Financial services companies and other firms that handle cash and sensitive data often eliminate people with poor credit or past convictions from the applicant pool after reviewing background checks.

2.Code Of Conduct

Your firm could lose money if your workers casually share proprietary information with your competitors. Additionally, you could face lawsuits if employees fail to protect your client’s financial information. To avoid such issues, implement a company code of conduct. This HR document should include clear instructions for safeguarding sensitive information. Provide every employee with a copy of this policy and require every new hire to sign an agreement to abide by the code of conduct. Over time you might need to update or amend this document to accommodate the implementation of new processes or procedures. HR representatives are responsible for ensuring that employees are made aware of such changes.

3. Information Technology

Most companies are heavily reliant on computer software and various types of remote communication devices. Consequently, HR professionals must work closely with information technology personnel to ensure that employee files are encrypted and that appropriate security mechanisms have been put in place. HR policies can dictate the manner in which your employees can access work systems from home or from other locations. HR professionals must liaise between the IT department and these workers to ensure they understand the methods of accessing data and the rules for viewing such information.


Even with codes of conduct and encryption devices, some unscrupulous people find ways to circumvent systems and violate company rules. If this is the case, investigate all security violations and take the appropriate disciplinary action. If violations are overlooked, then other employees might start to ignore the rules. Furthermore, you leave the company open to discrimination lawsuits if you fail to consistently enforce company policies. In extreme cases involving employee theft or fraud, HR representatives must contact law enforcement officials and press charges against the violators. Therefore, the role of HR in enforcing a security policy begins before an employee joins the firm and might end months or years after a particular employee has left the company.

Employees handling personal data in an organization need to receive appropriate awareness training and regular updates in an effort to safeguard the data entrusted to them. Appropriate roles and responsibilities assigned for each job description need to be defined and documented in alignment with the organization’s security policy. The organization’s data must be protected from unauthorized access, disclosure, modification, destruction, or interference. The management of human resources security and privacy risks is necessary during all phases of employment association with the organization. Training to enhance awareness is intended to educate individuals to prevent data disclosure, recognize information security problems and incidents, and respond according to the needs of their work role.

Safeguards include the following:

  • Job descriptions and screening,
  • user awareness and training,
  • a disciplinary process, and
  • an orderly exit process must exist to equip employees to operate securely and use information appropriately and ensure that access privileges change when a user’s relationship with the organization changes.

The objective of Human Resources Security is to ensure that all employees (including contractors and any user of sensitive data) are qualified for and understand their roles and responsibilities of their job duties and that access is removed once employment is terminated. The three areas of Human Resources Security are:

  • Prior to Employment: This topic includes defining roles and responsibilities of the job, defining appropriate access to sensitive information for the job, and determining the depth of candidate’s screening levels – all in accordance with the company’s information security policy. During the phase, contract terms should also be established.
  • During Employment: Employees with access to sensitive information in an organization should receive periodic reminders of their responsibilities and receive ongoing, updated security awareness training to ensure their understanding of current threats and corresponding security practices to mitigate such threats.
  • Termination and Change of Employment: To prevent unauthorized access to sensitive information, access must be revoked immediately upon termination/separation of an employee with access to such information. This also includes the return of any assets of the organization that was held by the employee.

A.7.1 Prior to employment


To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.

A.7.1.1 Screening


Background verification checks on all candidates for employment should be carried out in accordance with relevant laws, regulations, and ethics and should be proportional to the business requirements, the classification of the information to be accessed, and the perceived risks.

Implementation Guidelines:

Verification should take into account all relevant privacy, protection of personally identifiable information and employment-based legislation, and should, where permitted, including the following:

  1. availability of satisfactory character references, e.g. one business and one personal;
  2. a verification (for completeness and accuracy) of the applicant’s curriculum vitae;
  3. confirmation of claimed academic and professional qualifications;
  4. independent identity verification (passport or similar document);
  5. more detailed verification, such as credit review or review of criminal records.

When an individual is hired for a specific information security role, organizations should make sure the candidate:

  1. has the necessary competence to perform the security role;
  2. can be trusted to take on the role, especially if the role is critical for the organization.

Where a job, either on initial appointment or on promotion. involves the person having access to information processing facilities, and, in particular, if these are handling confidential information. e.g. financial information or highly confidential information, the organization should also consider further more detailed verifications. Procedures should define criteria and limitations for verification reviews. e.g. who is eligible to screen people and how, when and why verification reviews are carried out.

A screening process should also be ensured for contractors. In these cases, the agreement between the organization and the contractor should specify responsibilities for conducting the screening and the notification procedures that need to be followed if screening has not been completed or if the results give cause for doubt or concern.

Information on all candidates being considered for positions within the organization should be collected and handled in accordance with any appropriate legislation existing in the relevant jurisdiction. Depending on applicable legislation, the candidates should be informed beforehand about the screening activities.

A.7.1.2 Terms and conditions of employment


The contractual agreements with employees and contractors should state their and the organization’s responsibilities for information security.

Implementation Guidelines:

The contractual obligations for employees or contractors should reflect the organization’s policies for information security in addition to clarifying and stating:

  1. that all employees and contractors who are given access to confidential information should sign a confidentiality or non-disclosure agreement prior to being given access to information processing facilities.
  2. the employee’s or contractor’s legal responsibilities and rights, e.g. regarding copyright laws or data protection legislation.
  3. responsibilities for the classification of information and management of organizational assets associated with information, information processing facilities and information services handled by the employee or contractor.
  4. responsibilities of the employee or contractor for the handling of information received from other companies or external parties.
  5. actions to be taken if the employee or contractor disregards the organization’s security requirements.

Information security roles and responsibilities should be communicated to job candidates during the pre-employment process. The organization should ensure that employees and contractors agree to terms and conditions concerning information security appropriate to the nature and extent of access they will have to the organization’s assets associated with information systems and services. Where appropriate, responsibilities contained within the terms and conditions of employment should continue for a defined period after the end of the employment.

A code of conduct may be used to state the employee’s or contractor‘s information security responsibilities regarding confidentiality, data protection, ethics, appropriate use of the organization’s equipment and facilities, as well as reputable practices expected by the organization. An external party, with which a contractor is associated, can be required to enter into contractual arrangements on behalf of the contracted individual.

7.2 During employment


To ensure that employees and contractors are aware of and fulfil their information security responsibilities.

7.2.1 Management responsibilities


Management should require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization.

Implementation Guidelines:

Management responsibilities should include ensuring that employees and contractors:

  1. are properly briefed on their information security roles and responsibilities prior to being granted access to confidential information or information systems.
  2. are provided with guidelines to state information security ‘expectations of their role within the organization.
  3. are motivated to fulfil the information security policies of the organization.
  4. achieve a level of awareness of information security relevant to their roles and responsibilities within the organization.
  5. conform to the terms and conditions of employment, which includes the organization’s information security policy and appropriate methods of working.
  6. continue to have the appropriate skills and qualifications and are educated on a regular basis.
  7. are provided with an anonymous reporting channel to report violations of information security policies or procedures (“whistleblowing”).

Management should demonstrate support of information security policies, procedures and controls, and act as a role model.

If employees and contractors are not made aware of their information security responsibilities, they can cause considerable damage to an organization. Motivated personnel is likely to be more reliable and cause fewer information security incidents. Poor management can cause personnel to feel undervalued resulting in a negative information security impact on the organization. For example, poor management can lead to information security being neglected or potential misuse of the organization’s assets.

A.7.2.2 Information security awareness, education, and training


All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.

Implementation Guidelines:

An information security awareness program should aim to make employees and, where relevant, contractors aware of their responsibilities for information security and the means by which those responsibilities are discharged. An information security awareness program should be established in line with the organization’s information security policies and relevant procedures, taking into consideration the organization’s information to be protected and the controls that have been implemented to protect the information. The awareness program should include a number of awareness-raising activities such as campaigns (e.g. an “information security day”) and issuing booklets or newsletters. The awareness program should be planned to take into consideration the employee’s roles in the organization, and, where relevant, the organization’s expectation of the awareness of contractors. The activities in the awareness program should be scheduled overtime, preferably regularly, so that the activities are repeated and cover new employees and contractors. The awareness program should also be updated regularly so it stays in line with organizational policies and procedures, and should be built on lessons learned from information security incidents. Awareness training should be performed as required by the organization‘s information security awareness program. Awareness training can use different delivery media including classroom-based, distance learning, web-based, self-paced, and others.  Information security education and training should also cover general aspects such as:

  1. stating management’s commitment to information security throughout the organization.
  2. the need to become familiar with and comply with applicable information security rules and obligations, as defined in policies. standards, laws, regulations, contracts, and agreements.
  3. personal accountability for one’s own actions and inactions, and general responsibilities towards securing or protecting information belonging to the organization and external parties.
  4. basic information security procedures (such as information security incident reporting] and baseline controls (such as password security, malware controls, and clear desks).
  5. contact points and resources for additional information and advice on information security matters, including further information security education and training materials.

Information security education and training should take place periodically. Initial education and training apply to those who transfer to new positions or roles with substantially different information security requirements, not just to new starters, and should take place before the role becomes active. The organization should develop an education and training program in order to conduct education and training effectively. The program should be in line with the organization’s information security policies and relevant procedures, taking into consideration the organization’s information to be protected and the controls that have been implemented to protect the information. The program should consider different forms of education and training, e.g. lectures or self-studies.

When composing an awareness program, it is important not only to focus on the ‘what’ and ‘how’, but also the ‘why’. It is important that employees understand the aim of information security and the potential impact, positive and negative. on the organization of their own behavior. Awareness, education, and training can be part of or conducted in collaboration with, other training activities, for example, general IT or general security training. Awareness, education, and training activities should be suitable and relevant to the individual’s roles, responsibilities, and skills. An assessment of the employees‘ understanding could be conducted at the end of the awareness, education, and training course to test knowledge transfer.

A.7.2.3 Disciplinary process


There should be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach.

Implementation Guidelines:

The disciplinary process should not be commenced without prior verification that an information security breach has occurred. The formal disciplinary process should ensure correct and fair treatment for employees who are suspected of committing breaches of information security. The formal disciplinary process should provide for a graduated response that takes into consideration factors such as the nature and gravity of the breach and its impact on business, whether or not this is a first or repeats the offense, whether or not the violator was properly trained. relevant legislation, business contracts, and other factors as required. The disciplinary process should also be used as a deterrent to prevent employees from violating the organization’s information security policies and procedures and any other information security breaches. Deliberate breaches may require immediate actions. The disciplinary process can also become a motivation or an incentive if positive sanctions are defined for remarkable behavior with regards to information security.

A.7.3 Termination and change of employment


To protect the organization’s interests as part of the process of changing or terminating employment.

A.7.3.1 Termination or change of employment responsibilities


Information security responsibilities and duties that remain valid after termination or change of employment should be defined, communicated to the employee or contractor, and enforced.

Implementation Guidelines:

The communication of termination responsibilities should include on-going information security requirements and legal responsibilities and, where appropriate, responsibilities contained within any confidentiality agreement and the terms and conditions of employment continuing for a defined period after the end of the employee’s or contractor’s employment. Responsibilities and duties still valid after termination of employment should be contained in the employee’s or contractors’ terms and conditions of employment. Changes of responsibility or employment should be managed as the termination of the current responsibility or employment combined with the initiation of the new responsibility or employment.

The human resources function is generally responsible for the overall termination process and works together with the supervising manager of the person leaving to manage. the information security aspects of the relevant procedures. In the case of a contractor provided through an external party, this termination process is undertaken by the external party in accordance with the contract between the organization and the external party. It may be necessary to inform employees, customers, or contractors of changes to personnel and operating arrangements.


Prior to Employment

Security responsibilities must be addressed at the recruitment stage, included in contracts, and monitored during an individual’s employment. Candidates must be adequately screened commensurate to the sensitivity of the information being handled. If necessary all employees and third-party users should sign a confidentiality (non-disclosure) agreement. Prior to hiring or contracting employees or companies, security roles and responsibilities should be clearly articulated in job descriptions or well defined in contract terms and conditions. These roles and responsibilities should be defined in accordance with the organization’s security policies. Careful attention should be paid to the validation of references and the appropriate level of background checks as determined by the security roles and responsibilities of the position or contract. Consideration should be given that the receipt of affirmative references and the successful completion of a background check at a level commensurate with the position’s roles and responsibilities be a condition of hire. The purpose of this section is to introduce the security controls for people who work for the organization (both the employees and other people who are contracted). These controls are really important because the statistics worldwide show that people working for the companies represent the biggest threat to information security. The most common ways of implementing these security controls are:

  • Documenting a human resource management procedure, although it is not a mandatory document.
  • Signing contracts with employees and other contractors that include information security clauses.
  • Regularly training people on security issues and continual awareness-raising campaigns.
  • Introducing a disciplinary process, for all employees who have committed information security breaches.

The objective of this category is to ensure that employees, contractors, and third-party users understand their responsibilities, and are suitable for the roles for which they are considered, in order to reduce the risk of theft, fraud, or misuse of facilities.  Security roles and responsibilities of employees, contractors, and third-party users should be defined and documented in accordance with the organization’s information security policy. Control includes requirements to:

  • act in accordance with the organization’s information security policy, including the execution of processes or activities particular to the individual’s role;
  • protect all information assets from unauthorized access, use, modification, disclosure, destruction, or interference;
  • report security events, potential events, or other risks to the organization and its assets; and
  • assign responsibility to the individual for actions taken or, where appropriate, responsibility for actions not taken, consistent with the sanctions policy.


Appropriate background verification checks — also known as “screening” or “clearance” — for all candidates for employment, contractor status, or third-party user status, should be carried out.  Control includes checks that are:

  • commensurate with the organization’s business needs, and with relevant legal-regulatory-certificatory requirements;
  • take into account the classification/sensitivity of the information to be accessed, and the perceived risks;
  • take into account all privacy, protection of personal data and other relevant employment legislation; and
  • include, where appropriate, components such as identity verification, character references, CV verification, criminal and credit checks.

Terms and conditions of employment

Employees, contractors, and third-party users should agree to and sign a statement of rights and responsibilities for their affiliation with the organization, including rights and responsibilities with respect to information security. The organization should define security roles and responsibilities in accordance with its information security policy. The organization must ensure that information security policies are readily accessible and formally communicated to all personnel on a periodic basis. All employees including contractors, temporary staff, board, and/or committee members should sign confidentiality or non-disclosure agreements as part of their initial terms and conditions of employment. Such agreements should give notice to users of the Organization’s policies, rights, obligations, and responsibilities in relation to access to information assets. Confidentiality, non-disclosure, and/or contractual agreements should also be reviewed when there are changes to terms of employment or contract, particularly when employees are due to leave the organization or contracts are due to expire. The organization should ensure that that all personnel employed are adequately bound to the confidentiality and non-disclosure requirements. Punitive and/or remedial action(s) to be taken if the employee disregards security requirements should also be clearly described in the terms and conditions. Such measures must be aligned with a formally documented disciplinary process. Casual staff and third-party users (such as volunteers) not already covered by an existing contract (containing the confidentiality agreement) should also be required to sign a confidentiality agreement prior to being given access to information processing facilities or information assets. The organization must establish agreements with equipment repairers to safeguard the confidentiality of information (and data) on equipment undergoing repair. Control includes, in the signed agreement:

  1. information about the scope of access and other privileges the person will have, with respect to the organization’s information and information processing facilities;
  2. information about the person’s responsibilities, under legal-regulatory-certificatory requirements and organizational policies, specified in that or other signed agreements
  3. as appropriate, information about responsibilities for classification of information and management of organizational information facilities that the person may use;
  4. as appropriate, information about the handling of sensitive information, both internal to the organization and that received from or transferred to outside parties;
  5. information about responsibilities that extend outside the organization’s boundaries (e.g., for mobile devices and teleworking);
  6. information about the organization’s responsibilities for the handling of information related to the person him/herself, generated in the course of employment, contractor or other third party relationship;
  7. actions that can be anticipated, under the organization’s disciplinary process, as a consequence of failure to observe security requirements.

This control may also include the provision of an organizational code of conduct or code of ethics to the employee, contractor, or third party. It may also include a requirement to sign, prior to being given access or other privileges to information or information processing facilities, a separate confidentiality or non-disclosure agreement; and/or acceptable use of assets agreement.

During Employment

This category aims to ensure that employees, contractors, and third-party users are aware of information security threats and concerns, of their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work and to reduce the risk of human error. Employee Orientation for new employees: All new employees should participate in new employee orientation workshops or be provided with pertinent information including security policies and procedures and potential disciplinary processes/actions for any security breaches. Additionally, new employees should be required to sign an acknowledgment indicating that they read and understand the organization’s acceptable use policy, the organization’s security policies, and any non-disclosures (if applicable). All managers and supervisors should be expected to emphasize the importance of security to their employees. Organizations should provide relevant information security information delivered on a defined schedule (annually, bi-annually, etc.) appropriate to the employee’s job roles and responsibilities. All employees should be required to take general training on basic information security practices and/or acknowledge their basic understanding of the organization’s security policies and procedures. A process for official disciplinary actions for security breaches should be established and promulgated to the organization’s employees.

Management responsibilities

Management should require employees, contractors and third-party users to apply security controls in accordance with established policies and procedures of the organization. Managers and Supervisors, or those acting in supervisory capacities must ensure that personnel under their direction and control, including contractors and temporary staff, apply security practices in accordance with the organization’s established policies and procedures. Management should define responsibilities for general personnel, including contractors and volunteers, in relation to implementing or maintaining security in line with the organization’s policies. It must also specific responsibilities for the protection of particular assets, including critical infrastructure, or for the execution of particular security processes or activities. They must also communicate the requirement for personnel to report security events and incidents (actual or perceived) and uphold the requirement to report other security risks that are identified. Management may note that the personal circumstances of personnel such as financial problems, changes in their behaviour or lifestyle, recurring absences and evidence of stressful situations or illness may give rise to security implications in the workplace. Control includes:

  • appropriately informing all employees, contractors, and third-party users of their information security roles and responsibilities, prior to granting access to sensitive information or information systems;
  • providing all employees, contractors, and third parties with guidelines/rules that state the security control expectations of their roles within the organization;
  • achieving an appropriate level of awareness of security controls among all employees, contractors, and third parties, relevant to their roles and responsibilities, and an appropriate level of skills and qualifications, sufficient to execute those security controls;
  • assuring the conformity to the terms and conditions of employment related to security;
  • motivating adherence to the security policies of the organization, such as with an appropriate sanctions policy; and
  • mitigating the risks of a failure to adhere to policies, by ensuring that all persons have appropriately-limited access to the organization’s information and information facilities.

Information security awareness, education, and training

All employees of the organization, and, where relevant, contractors and third party users, should receive appropriate awareness training in and regular updates of organizational policies and procedures relevant to their job functions. The organization must ensure that Information Security Awareness programs inform personnel of the existence and availability of current versions of the information security policy, standards, and procedures. The organization must ensure that employee information security awareness and procedures are reinforced by regular updates. Security reminder messages should be posted in secured areas and/or regularly communicated to personnel according to the intended audience and or classification of the notifications. A copy of the information security policies should be issued to all new personnel as they join and to all existing personnel. Personnel should be made aware of the security classifications of the information assets that they use, and that they handle them appropriately, Some of the control includes:

  • a formal induction process that includes information security training, prior to being granted access to information or information systems;
  • ongoing training in security control requirements, legal-regulatory-certificatory responsibilities, and correct procedures generally, suitable to each person’s rules and responsibilities; and
  • periodic reminders that cover both general security topics and specific issues of relevance to the organization given its history of security incidents; and
  • other appropriate efforts to raise and maintain awareness of security issues.

Disciplinary process

There should be a formal disciplinary process for employees who have committed a security breach. A formal disciplinary process must be established by the organization in relation to employees who have violated the organization’s security policies and procedures and, for retention of evidence. Disciplinary processes should aim to be a deterrent to employees who might otherwise be inclined to disregard security policies and procedures. Where appropriate, discipline should be in line with the relevant employment act conditions. For employees not covered under this, discipline should be in line with contract terms and conditions. Where it is formally stated that some activity is not allowed, but informally action is not generally taken against the activity (e.g. banning the distribution of jokes via e-mail), any subsequent disciplinary action that is taken in this regard may be subject to legal challenge and may, therefore, be unenforceable. Disciplinary action should accurately reflect the nature of the breach of policy. Minor infringements are to be expected and should be dealt with through cautions and user security awareness education. Repeated minor infringements may be symptomatic of an inappropriate policy or control, and should entail a re-assessment of its suitability. Repeated minor infringements not due to an inappropriate policy or control, or a major breach of security, maybe more suitably dealt with by formal sanctions such as termination of access (temporary or permanent) or legal action. The nature of appropriate disciplinary action should be determined by the workforce management function, in consultation with security officers and with legal officers if legal action is contemplated. Control includes:

  • a reasonable evidentiary standard to initiate investigations (reasonable suspicion that a breach has occurred);
  • appropriate investigatory processes, including specification of roles and responsibilities, standards for the collection of evidence and chain of custody of evidence;
  • disciplinary proceedings that observe reasonable requirements for due process and quality of evidence;
  • a reasonable evidentiary standard to determine fault, that ensures correct and fair treatment for persons suspected of a breach;
  • sanctions that appropriately take into consideration factors such as the nature and gravity of the breach, its impact on operations, whether it is a first or repeat offence, whether or not the violator was appropriately trained, whether or not the violator exercised due care or exhibited negligence;
  • an overall process that functions both as deterrent and sanction.


To ensure that employees, contractors, and third-party users exit the organization, or change employment responsibilities within the organization, in an orderly manner. Responsibilities for performing employment termination or change of employment should be clearly defined and assigned. The organization must implement and maintain a procedure or set of procedures to effectively manage departing employees or the withdrawal of assigned responsibilities for employees, contractors, and other third-party users. The procedure must also be included for the withdrawal of assigned responsibilities resulting from a change in employment status for employees, contractors, and other third-party users. The organization should ensure that important knowledge or operational skills have been transferred to other resources prior to the departure of the employee and/or contractor. Control includes:

  • changes of responsibilities and duties within the organization are processed as a termination (of the old position) and re-hire (to the new position), using standard controls for those processes unless otherwise indicated;
  • other employees, contractors, and third parties are appropriately informed of a person’s changed status; and
  • any post-employment responsibilities are specified in the terms and conditions of employment, or a contractor’s or third party’s contract;

Return of assets

All employees, contractors, and third parties should return all of the organization’s assets in their possession upon termination of the employment relationship or contract. Assets include all instances of information, data, documents, etc. The organization must establish procedures and processes to transfer Official Information contained on personal (home office or BYO) devices such as home computers and mobile devices to agency-owned information assets. Such procedures shall include a provision for the secure erasure of all Official Information (other than PUBLIC) that is stored on the personal device. Assets must be sanitized, secured and those assets not required must be safely disposed of.   Control includes:

  • formalization of the process for return (e.g., checklists against inventory);
  • inclusion in this requirement of the organization’s hardware, software and data of any kind; and
  • where the employee, contractor or third party use personal equipment, secure erasure of software and data belonging to the organization.

Removal of access rights

Access rights to information and information systems should be removed upon termination of the employment or contractual relationship. The organization must have an established and logged procedure for the withdrawal and/or modification of access rights for departing employees, contractors, and third-party users. Control includes:

  • changes of employment or contractual status include removal of all rights associated with prior roles and duties, and creation of rights appropriate to the new roles and duties;
  • removal or reduction of access rights prior to the termination, where risks indicate this step to be appropriate (e.g., where termination is initiated by the organization, or the access rights involved highly sensitive information or facilities).


Back to Home Page

If you need assistance or have any doubt and need to ask any questions contact me at You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

One thought on “ISO 27001:2013 A.7 Human resource security

  1. I am most captivated when you explained that management must instruct employees, contractors, and third-party users to implement security controls in conformity with specified policies and procedures of the company. My friend mentioned that their organization wants to improve its security policies to be certified for ISO 27001. I think that’s possible with the help of an ISO 27001 consulting firm to ensure they are guided.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s