ISO 27001:2022 A 6.2 Terms and conditions of employment

Uncategorized 6 Minutes

Audio version of the article

Security responsibilities must be addressed at the recruitment stage, included in contracts, and monitored during an individual’s employment. Candidates must be adequately screened commensurate to the sensitivity of the information being handled. If necessary all employees and third-party users should sign a confidentiality (non-disclosure) agreement. Prior to hiring or contracting employees or companies, security roles and responsibilities should be clearly articulated in job descriptions or well defined in contract terms and conditions. These roles and responsibilities should be defined in accordance with the organization’s security policies. Careful attention should be paid to the validation of references and the appropriate level of background checks as determined by the security roles and responsibilities of the position or contract. Consideration should be given that the receipt of affirmative references and the successful completion of a background check at a level commensurate with the position’s roles and responsibilities be a condition of hire. The purpose of this section is to introduce the security controls for people who work for the organization (both the employees and other people who are contracted). These controls are really important because the statistics worldwide show that people working for the companies represent the biggest threat to information security. The most common ways of implementing these security controls are:

  • Documenting a human resource management procedure, although it is not a mandatory document.
  • Signing contracts with employees and other contractors that include information security clauses.
  • Regularly training people on security issues and continual awareness-raising campaigns.
  • Introducing a disciplinary process, for all employees who have committed information security breaches.

The objective of this category is to ensure that employees, contractors, and third-party users understand their responsibilities, and are suitable for the roles for which they are considered, in order to reduce the risk of theft, fraud, or misuse of facilities. Security roles and responsibilities of employees, contractors, and third-party users should be defined and documented in accordance with the organization’s information security policy. Control includes requirements to:

act in accordance with the organization’s information security policy, including the execution of processes or activities particular to the indivi

A 6.2 Terms and conditions of employment

Control

The employment contractual agreements should state the personnel’s and the organization’s responsibilities for information security.

Purpose

To ensure personnel understand their information security responsibilities for the roles for which they are considered.

Guidance

The contractual obligations for personnel should take into consideration the organization’s information security policy and relevant topic-specific policies. In addition, the following points can be clarified and stated:

a) confidentiality or non-disclosure agreements that personnel who are given access to confidential information should sign prior to being given access to information and other associated assets
b) legal responsibilities and rights (e.g. regarding copyright laws or data protection legislation );
c) responsibilities for the classification of information and management of the organization’s information and other associated assets, information processing facilities and information services handled by the personnel
d) responsibilities for the handling of information received from interested parties;
e) actions to be taken if personnel disregard the organization’s security requirements.

Information security roles and responsibilities should be communicated to candidates during the pre-employment process. The organization should ensure that personnel agree to terms and conditions concerning information security. These terms and conditions should be appropriate to the nature and extent of access they will have to the organization’s assets associated with information systems and services. The terms and conditions concerning information security should be reviewed when laws, regulations, the information security policy or topic-specific policies change. Where appropriate, responsibilities contained within the terms and conditions of employment should continue for a defined period after the end of the employment.

Other information

A code of conduct can be used to state personnel’s information security responsibilities regarding confidentiality, PII protection, ethics, appropriate use of the organization’s information and other associated assets, as well as reputable practices expected by the organization. An external party, with which supplier personnel are associated, can be required to enter into contractual agreements on behalf of the contracted individual. If the organization is not a legal entity and does not have employees, the equivalent of contractual agreement and terms and conditions can be considered in line with the guidance of this control.

Employees, contractors, and third-party users should agree to and sign a statement of rights and responsibilities for their affiliation with the organization, including rights and responsibilities with respect to information security. The organization should define security roles and responsibilities in accordance with its information security policy. The organization must ensure that information security policies are readily accessible and formally communicated to all personnel on a periodic basis. All employees including contractors, temporary staff, board, and/or committee members should sign confidentiality or non-disclosure agreements as part of their initial terms and conditions of employment. Such agreements should give notice to users of the Organization’s policies, rights, obligations, and responsibilities in relation to access to information assets. This controls talks about the need for contractual agreement to inform any new employee about their responsibility as well as that of the organisation towards information security.What this means is that employees should know about the company’s information security policy, as well as the roles and responsibilities of people who work with information security in the company. This can be done by having personnel sign an employment contract or something similar. Such a contractual agreement will typically outline the general requirements for protecting information assets, including physical security, environmental controls, access controls and contingency planning as well as a confidentiality agreement if they’ll be working with PII. Information security obligations should be explicitly stated in contracts with both employees and contractors. Insist that all parties involved are aware of and familiar with NDAs, legal rights and duties, data processing, and the use of third-party information. It is critical that disciplinary measures are guided by certain policies within the organisation. The contractual agreement with employees and contractors must state their and the organisation’s responsibilities for information security. These agreements are a good place to put key information security general and individual responsibilities as they carry legal weight – meaning they are backed up by the law. This is also very important as regards to compliance obligation. They should reference and cover a whole range of control areas including overall compliance with the ISMS as well as more specifically acceptable use, IPR ownership, return of assets etc.

Confidentiality, non-disclosure, and/or contractual agreements should also be reviewed when there are changes to terms of employment or contract, particularly when employees are due to leave the organization or contracts are due to expire. The organization should ensure that that all personnel employed are adequately bound to the confidentiality and non-disclosure requirements. Punitive and/or remedial action(s) to be taken if the employee disregards security requirements should also be clearly described in the terms and conditions. Such measures must be aligned with a formally documented disciplinary process. Casual staff and third-party users (such as volunteers) not already covered by an existing contract (containing the confidentiality agreement) should also be required to sign a confidentiality agreement prior to being given access to information processing facilities or information assets. The organization must establish agreements with equipment repairers to safeguard the confidentiality of information (and data) on equipment undergoing repair. Control includes, in the signed agreement:

  1. information about the scope of access and other privileges the person will have, with respect to the organization’s information and information processing facilities;
  2. information about the person’s responsibilities, under legal-regulatory-certificatory requirements and organizational policies, specified in that or other signed agreements
  3. as appropriate, information about responsibilities for classification of information and management of organizational information facilities that the person may use;
  4. as appropriate, information about the handling of sensitive information, both internal to the organization and that received from or transferred to outside parties;
  5. information about responsibilities that extend outside the organization’s boundaries (e.g., for mobile devices and teleworking);
  6. information about the organization’s responsibilities for the handling of information related to the person him/herself, generated in the course of employment, contractor or other third party relationship;
  7. actions that can be anticipated, under the organization’s disciplinary process, as a consequence of failure to observe security requirements.

This control may also include the provision of an organizational code of conduct or code of ethics to the employee, contractor, or third party. It may also include a requirement to sign, prior to being given access or other privileges to information or information processing facilities, a separate confidentiality or non-disclosure agreement; and/or acceptable use of assets agreement.

Code Of Conduct

Your firm could lose money if your workers casually share proprietary information with your competitors. Additionally, you could face lawsuits if employees fail to protect your client’s financial information. To avoid such issues, implement a company code of conduct. This HR document should include clear instructions for safeguarding sensitive information. Provide every employee with a copy of this policy and require every new hire to sign an agreement to abide by the code of conduct. Over time you might need to update or amend this document to accommodate the implementation of new processes or procedures. HR representatives are responsible for ensuring that employees are made aware of such changes.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply