ISO 27001 - Annex A.7 - Human resource security

In today's digital revolution, mobile business, interconnectivity and remote workers all mean one thing: security must be at the forefront of any organisation's attention. This doesn't only apply to hackers and cyber-attacks, it applies to employees too because they are prone to human error. 

In order to maintain this level of safety, ISO 27001 Annex A.7 is an important implementation. This security measure is specifically intended to safeguard against internal data leaks caused by noncompliance of company personnel.

This article offers comprehensive knowledge of Annex A.7's objectives and controls, as well as the implementation method and why it is critical for an organisation to execute them.

Update: It's important to highlight that the ISO 27001:2013 standard was updated on 25th October 2022, resulting in the ISO 27001:2022 most recent edition with revised guidelines. For the most current and precise details about the ISO 27001 Annex A Controls, please refer to the updated version.

What is Annex A.7?

Annex A.7 is the most well-structured of Annex A, and outlines the management system standards for workers and contractors before, during, and after employment. It includes all HR duties such as recruiting, contracts, awareness, education, training, discipline, change, and termination.

The main goal of Annex A.7 is to guarantee that all employees, suppliers, and contractors are qualified for and understand their engagement/job tasks and responsibilities and that access is revoked after the engagement is finished.

Although this may be the overarching goal, each control of Annex A.7 has its own objective.

 

What is the objective of Annex A.7?

Similar to cyber-attacks, your ISMS may be prone to human resource errors as well. To counter errors, Annex A.7 provides 3 major security controls. They are:

Annex A.7.1: Prior to employment 

This Annex's goal is to guarantee that workers and contractors are aware of their obligations and are fit for the jobs they are being evaluated for. It also covers what happens when employees resign, change roles or are terminated.

To action this, careful planning and a clear understanding of roles and duties are required. Individual Employment Agreements (IEAs) and Contractor Agreements (CAs) can be used to create well-defined job descriptions.

Annex A.7.2: During employment 

This section's goal is to ensure that all workers and contractors understand and fulfil their duties related to information security while on the job. There may be a variety of approaches taken.

Start with a well-structured induction. Integrate the concept of information security into your new employee orientation programme. All your policies, asset management, system access, building access, password strength, malware, backups, software controls, networks, buying, incidents, and business continuity will be covered depending on your system.

Implement a programme of ongoing education and training for your whole workforce next. Cover the above-mentioned topics. This is a continuous effort. It is not enough to conduct one-time training and teaching sessions.

 

Annex A.7.3 - Termination and change of employment

Annex A.7.3 focuses on termination and job changes. It is the goal of this Annex to safeguard the interests of the organisation during the process of modifying and terminating employment arrangements.

You are required to have mechanisms in place to handle the situation when an employee or contractor quits or changes jobs. The following questions would need to be answered:

  • What happens to your systems' integrity?
  • Are there any permissions that need to be changed?
  • How often do you alter your passwords?
  • Have building passwords been altered?
  • What happens to information stored on their work devices? And many more.

The core of understanding how to implement Annex A.7 controls is first understanding what human resource security is.

 

What is human resource security?

The human resource security clause evaluates controls before, during, and after hiring a new employee. Controls include but are not limited to the definitions of roles and duties, recruitment, contract terms and conditions, awareness, education and training, disciplinary processes, and termination of activities.

Return of assets and management of access privileges are also covered by the controls in accordance with ISO/IEC 27001's requirements for human resources security.

 

What are the Annex A.7 controls?

Now that you have an understanding of what Annex A.7 is and the objectives of its controls let's take a look at the individual controls under each of the major clauses.

A.7.1.1: Screening 

All job applicants should be subjected to background checks and competency assessments as part of a thorough control. According to applicable laws, rules, and ethical standards, these procedures must be carried out in a manner that is proportional to the business needs, the categorization of information that will be accessed, and any potential hazards.

A screening for contractors should also be performed even if the contractor's parent organisation fulfils your larger security measures, such as an ISO 27001 certification and background checks.

A.7.1.2: Terms and conditions of employment

Information security obligations should be explicitly stated in contracts with both employees and contractors. Insist that all parties involved are aware of and familiar with NDAs, legal rights and duties, data processing, and the use of third-party information. It is critical that disciplinary measures are guided by certain policies within the organisation.

A.7.2.1: Management responsibilities

Senior-level management ensures all stakeholders know their information security duties and responsibilities and are driven to perform them. They should establish anonymous means for reporting information security violations. Management buy-ins are crucial for a company's security culture. This is when an outside manager or management team purchases a controlling ownership stake in an outside company and replaces its existing management team.

Additionally, it is the responsibility of managers to ensure that security awareness and conscientiousness are maintained across the organisation and to build an acceptable "security culture."

A.7.2.2: Information security awareness, education and training

All workers and, where necessary, contractors should get adequate awareness, education and training, and frequent updates on organisational rules and procedures.

The training and awareness must be presented in a way that your employees and contractors have the best chance of understanding and following it. This entails paying attention to the content and the medium for delivery. This is important because auditors would want proof of your training and compliance.

A.7.2.3: Disciplinary process

Employees who have violated company information security policies face disciplinary action under a well-defined and stated disciplinary procedure. 

To begin the disciplinary procedure, it must be established that an information security breach has happened first. Employees who are accused of committing data security breaches should undergo a formal disciplinary procedure to guarantee that they are treated fairly.

A.7.3.1: Termination or change of employment responsibilities

The employee's or contractor's terms and conditions of employment should include any responsibilities or tasks that remain in place after the employee or contractor's employment ends. 

Changes in responsibilities or employment should be handled at the end of the present responsibility or job and the commencement of the new one. Also included are the return of company property and the termination of access privileges, including physical access, to avoid security breaches.

 

Why is human resource security important for your organisation?

By adopting the framework's principles, organisations may maintain a human resources management system that fits their needs and ensures data availability, integrity, and confidentiality.

Additionally, human resource security will prove that you have the ability to:

  • Establish a secure human resources management framework.
  • Follow the framework and concepts of ISO 27002 in the establishment of human resources security controls in businesses.
  • Understand the roles and responsibilities of human resources security management components, such as education, training and termination of activities and hiring and recruiting.
  • Assist a company in the implementation and management of ISO/IEC 27002-based human resources security controls.
  • Assist organisations in the application of KEY controls before, during, and after the employment of human resources.

 

Conclusion

Annex A.7 of ISO 27001 aims to improve your organisation’s human resource management and provide the information security you need with regard to your employees.

It is a crucial step of ISO 27001 certification and helps to establish a stronger connection and trust with your customers. If you require assistance in becoming ISO certified or establishing the clauses of Annex A, DataGuard's team of information security experts are ready to guide you through the process.

 
ISO 27001 Controls 212x234 UK ISO 27001 Controls 800x600 MOBILE UK

ISO 27001: The top 4 most failed controls

We have collated the most commonly failed controls - and how you can avoid these mistakes.

Get your free guide

About the author

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk