![]() They must receive regular updates in organisational policies and procedures when they are changed too, along with a good understanding of the applicable legislation that affects them in the role. A.7.2.2 Information Security Awareness, Education & TrainingĪll employees and relevant contractors must receive appropriate awareness education and training to do their job well and securely. Managers play a critical role in ensuring security consciousness and conscientiousness throughout the organisation and in developing an appropriate “security culture”. The responsibilities placed upon managers should include requirements to Ensure that those they are responsible for understand the information security threats, vulnerabilities and controls relevant to their job roles and receive regular training (as per A7.2.2) Ensure buy-in to proactive and adequate support for relevant information security policies and controls and Reinforce the requirements of the terms and conditions of employment. ![]() ![]() A.7.2.1 Management responsibilitiesĪ good control describes how employees and contractors apply information security in accordance with the policies and procedures of the organisation. The objective in this Annex is to ensure that employees and contractors are aware of and fulfil their information security responsibilities during employment. What is the objective of Annex A.7.2 of ISO 27001:2013? We recommend working with an HR Lawyer if you are unsure as the consequences for getting employment contracts wrong from an information security perspective (and other dimensions) can be significant. They should reference and cover a whole range of control areas including overall compliance with the ISMS as well as more specifically acceptable use, IPR ownership, return of assets etc. This is also very important as regards GDPR and the new Data Protection Act 2018. ![]() These agreements are a good place to put key information security general and individual responsibilities as they carry legal weight – meaning they are backed up by the law. The contractual agreement with employees and contractors must state their and the organisation’s responsibilities for information security. Ideally this will be aligned with the overall organisation hiring process. has their own ISO 27001 and does their own background checks).Īn auditor will expect to see a screening process with clear procedures being operated consistently each time to also help avoid any preference/prejudice risks too. The screening should also take place for contractors (unless their parent organisation meets your broader security controls e.g. Putting in place adequate and proportionate HR controls at all stages of employment helps to reduce the likelihood of accidental or malicious threats. These must be carried out in accordance with the relevant laws, regulations and ethics, and should be proportional to the business requirements, the classification of the information that will be accessed and the perceived risks associated.įor example, staff accessing higher level information assets that carry more risk may be subject to much more stringent checks than staff who only ever get access to public information or handle assets with limited threat. A.7.1.1 ScreeningĪ good control covers background verification and competence checks on all candidates for employment. Lets understand those requirements and what they mean in a bit more depth now. It’s an important part of the information security management system (ISMS) especially if you’d like to achieve ISO 27001 certification. It also covers what happens when those people leave or change roles. The objective in this Annex is to ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. What is the objective of Annex A.7.1 of ISO 27001:2013?Īnnex A.7.1 is about prior to employment.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |