ISO 27001 - Annex A.7 - Human Resource Security

by Maya G

Today's digital revolution means that remote workers, interconnectedness, and mobile business all imply that security must be a top priority for any organization. This holds true for employees as well because they are susceptible to human mistakes, thus it doesn't just relate to hackers and cyberattacks.

The execution of ISO 27001 Annex A.7 is crucial for maintaining this degree of safety. This security solution is primarily designed to prevent internal data leaks brought on by staff members who don't follow business policies.

The aims and controls of Annex A.7 are thoroughly explained in this article, along with the implementation process and the reasons that an organization must follow it.

What is Annex A.7?

Annex A.7 of ISO 27001 is a set of requirements for the establishment of an Information Security Management System (ISMS). It is based on a risk management approach and provides a framework for implementing security controls.

The standard is intended to be used by organizations of all sizes and industries. It can be applied to any type of information, regardless of its format, location, or system.

Annex A.7 is organized around the following four sections:

  • Introduction
  • ISMS Scope
  • ISMS Policy
  • ISMS Procedures

What is the objective of Annex A.7?

The objective of Annex A.7 is to ensure that all information security risks are managed in a structured and systematic manner, considering the organization’s overall risk appetite.

7.1 Prior to employment: 

Annex A 7.1 of the ISO 27001 standard states that "The organization shall ensure that prior to the commencement of employment, all recruits:

  1. Are made aware of the importance of security.
  2. Undergo security induction training.
  3. Receive appropriate security clearance
  4. Are made aware of their security responsibilities."

To comply with this Annex, organizations must put in place procedures for the recruitment of new employees. These procedures should ensure that all recruits are made aware of the importance of security and receive appropriate security training. In addition, all recruits should undergo security clearance and be made aware of their security responsibilities.

Annex A7.1.1 Screening :

Annex    A 7.1.1 Screening (ISO 27001) is a process that determines whether an information security event should be investigated further. This process is important because it allows organizations to prioritize their resources and focus on the most serious threats.

The screening process begins with the identification of an event. This can be done through various means, such as monitoring, literature review, and intelligence gathering. Once an event has been identified, it is assessed to determine if it meets the criteria for further investigation.

If the event does not meet the criteria, it is dismissed, and no further action is taken. However, if the event does meet the criteria, it is escalated to the next stage of the investigation process

Annex A7.1.2 Terms and conditions of employment :

Annex A7.1.2 Terms and conditions of employment (ISO 27001) sets out the guidance for human resources policy in ISO 27001. The purpose of this Annex is to provide an overview of the requirements for Annex A7.1.2 Terms and conditions of employment and how these requirements can be met.

Organizations are required to define and document their human resources policy as part of their ISMS. The human resources policy should address the following:

  • The identification of roles and responsibilities within the organization for information security
  • The selection, development, and management of personnel
  • The induction and training of personnel in information security
  • The definition of terms and conditions of employment that address information security
  • The performance management of personnel
  • The provision of security awareness training and education

Annex A7.1.2 Terms and conditions of employment (ISO 27001) provides guidance on how to develop and implement a human resources policy that meets the requirements of ISO 27001.

Annex A.7.2: During employment :

Annex A.7.2 of ISO 27001 provides guidance on the procedures that should be followed during employment. The annex contains a list of duties that employees should perform during their employment.

The purpose of this Annex is to provide guidance on how to establish, implement, operate, monitor, review, maintain, and improve processes and controls during the course of employment.

Organizations should take into account the employment relationship when determining the scope of their Annex A.7.2 processes and controls. The type of employment relationship (e.g. contractual, agency worker, freelancer, volunteer) will have an effect on the way in which processes and controls are implemented.

The main concepts in this Annex are:

  • Establishing processes and controls during employment
  • Implementing processes and controls during employment
  • Operating processes and controls during employment
  • Monitoring processes and controls during employment
  • Reviewing processes and controls during employment
  • Maintaining processes and controls during employment
  • Improving processes and controls during employment

Annex A. 7.2.1 Management responsibilities :

Annex A. 7.2.1 of the ISO 27001 standard specifies the requirements for the management of information security within an organization. The standard is generic and applicable to all organizations, regardless of size, type, or business sector.

The requirements of Annex A. 7.2.1 are designed to ensure that the management of information security is given the attention it deserves, and that it is given the same importance as other aspects of the organization's business.

The Annex A. 7.2.1 requirements are divided into three main sections:
  • The first section covers the responsibilities of management,
  • The second section covers the communication of security policy, and
  • The third section covers the management of security incidents.

Annex A. 7.2.2 Information security awareness, education, and training :

The purpose of this clause is to provide requirements for establishing, maintaining, and improving an information security awareness, education, and training program within the organization.

Organizations should develop and maintain an information security awareness, education, and training program that suits the organization’s size, structure, culture, and business risks. The program should aim to:

  • Increase awareness of information security risks, responsibilities, and good practices throughout the organization.
  • Fulfil the information security education and training needs of employees, contractors, and other relevant persons.
  • Provide adequate and up-to-date information security education and training to new and existing employees, actors, and other relevant persons.
  • Ensure that employees, contractors, and other relevant persons have the necessary information security knowledge and skills to fulfil their information security roles and responsibilities.
  • Maintain and improve employees’, contractors, and other relevant persons’ information security knowledge and skills; and
  • Contribute to the development of the organization

Annex A. 7.2.3 Disciplinary process :

The purpose of this blog is to provide an overview of Annex A.7.2.3 of the ISO 27001 standard. This section of the standard deals with the disciplinary process that should be followed in the event of a breach of security.

Organizations need to have a disciplinary process in place in order to ensure that employees are aware of the consequences of breaching security policy. This will help to discourage employees from breaching security and will also help to identify and address any security issues that may arise.

Organizations should also ensure that they have a clear and concise security policy in place that is communicated to all employees. This will help ensure that employees are aware of what is expected of them in terms of security and will also help reduce the likelihood of a security breach.

Annex A. 7.3 Termination and change of employment:

Annex A. 7.3 of the standard specifies the termination and change of employment requirements. It includes the following:

  • The employer must give the employee at least 4 weeks’ notice e of their intention to terminate the employment.
  • The employee must be given the option to resign with 2 weeks' notice.
  • The employer must offer the employee the opportunity to transfer to another job within the company with the same or similar duties, if available.
  • If the transfer is not possible or the employee does not wish to transfer, the employer must give the employee 4 weeks' notice of termination.
  • The employee is entitled to receive all pay and benefits due to them up to the date of termination of employment.
  • The employer must provide the employee with a statement of service, specifying the dates of employment, duties, and pay.

Annex A.7.3.1: Termination or change of employment responsibilities:

Annex A.7.3.1 of the ISO 27001 standard states that an organization must have a procedure in place for employees' termination or change of employment responsibilities. This procedure is necessary to ensure that employees who leave the organization do not take confidential information with them, and hat their access to organizational resources is terminated.

The procedures laid out in Annex A.7.3.1 are as follows:

  • The organization must have a list of all employees and their roles and responsibilities within the organization.
  • When an employee is leaving the organization, their manager must review the list of roles and responsibilities to determine which ones the employee had access to.
  • The manager must then remove the employee’s access to those resources and reassign them to another employee.
  • The manager must also inform the employee of the organization’s confidentiality policy and remind them not to take any confidential information with them when they leave.
  • Finally, the manager must update the list of roles and responsibilities to reflect the changes that have been made.

Why is human resource security important for your organisation?

The purpose of human resource security is to protect an organization’s people and information. The process of human resource security includes the identification, assessment, and mitigation of risks to people and information.

To protect its people and information, an organization must have a clear understanding of the risks that it faces. It must then put in place controls to mitigate those risks. By doing so, an organization can protect its most valuable assets – its people and information.

Here are four reasons why human resource security is important for your organization:

  1. To protect your organization’s reputation
  2. To ensure compliance with laws and regulations
  3. To safeguard your organization’s intellectual property
  4. To protect your organisation’s people

Conclusion:

The goal of ISO 27001's Annex A.7 is to help you manage your human resources more effectively and give you the employee information security you require.

It is an integral part of obtaining ISO 27001 certification and contributes to building stronger relationships and customer confidence. DataGuard's team of information security specialists is prepared to assist you if you need help creating the provisions of Annex A or getting ISO certification.