Please complete all required fields!
When organisations think about Information Security and what things need to be in place to achieve their ISO27001 Information Security Management System (ISMS) certifications for some reason they mostly forget about the Human Resources function. That is a little strange when you think about it, your relationship with employees and contractors for that matter starts before they physically start with your organisation so why shouldn't your information security processes start there as well? That should also lead you wonder when they should end as well, which must be after they leave the organisation, which is the span that this clause covers.
For many organisations there is pre-employment activities that go on from interviews to a myriad testing and references. This is what clause A7.1 is looking to cover off by ensuring that all of your candidates for employment or contractors understand their obligations and responsibilities with respect to your ISMS even before they start with your organisation. It is looking for you to ensure they are suitable for the role that you are recruiting for in that respect. There are 2 sub sections to this annex clause:
Now that you have hired someone your information security processes do not stop, in fact they ramp up even more. This clause is set up to ensure that the employees and contractors are fully aware of the information security responsibilities during their time of employment. There are 3 sub sections to this annex clause:
The aim of this last clause is to really ensure that the organisation and its information are protected if someone changes role or leaves the organisation. How often have you found someone on the email list or with access to a system that no longer works in a company or have moved roles so their access should have changed? It's easy to overlook things but the standard requires you to have processes in place to ensure that someone stops having access to information as soon as they no longer have a right to access it, that seems obvious, yet it gets forgotten about. Passwords need to be changed, access rights terminated and building access revoked for a start. What companies and former employees or contractors also forget about is that their information security responsibilities do not stop when they leave the company.
The Human resource requirements annex for your ISO27001 Information Security Management System is probably one of the best defined in the standard. That is because these 3 sections are critical to how well your information security management system is going to work. If you do not inform people of what their responsibilities are and the consequences of not following your policy and procedures, then the outcome you get is the outcome you have set yourself up for.
© Many Caps Consulting | All Rights Reserved
By accepting you will be accessing a service provided by a third-party external to https://www.manycaps.com/