Annex A of ISO 27001 is an essential tool for managing security. In the third blog of ISO Controls in Annex A, Today we will discuss Control A:7 in a more in-depth manner. This Control has particularly designed to protect the information breach within the organization through their own employees.
Annex A:7 is directed at ensuring that employees and contractors are aware of, and fulfill their information security responsibilities.
Annex A:7 Human Resources Security
Annex A.7.1 is about covering important aspects prior to employment. The sole objective in this Annex is to ensure to raise awareness about the information security to the employees and the contractors. It is the obligation of the business owners that they educate their HR Team to produce policies and acknowledged the same from the employees.
A.7.2.1 Prior to employment- Management responsibilities
This section describes the fact that a good HR team can lead the employees efficiently. But to keep the information security intact management must be responsible. They should explain the policies and procedures to secure their information to their employees and contractors. Any organization must ensure all the employees and contractors before employment that:
- responsible to understand the information security threats, vulnerabilities and controls relevant to their job roles. They should receive regular training (as per A7.2.2)
- undergo background checks before granting them access to any data.
- acknowledge all the legal regulations and policies as per the business requirements.
- prepare contractual agreement and state all the organization responsibility if there is any breach of information security.
A.7.2.2 During employment- Information Security Awareness, Education & Training
During the employment all employees and relevant contractors must receive interval education, and training to do their job well and securely. They must receive regular updates in organizational policies and procedures where there is any change. The policies must provide a good understanding of the applicable legislation that affects them in the role. Any organization can create a security team along with HR or Learning and Development team to generate training sessions. These induction sessions must be held every 6 months, yearly or if there is any significant change. It need to be able to demonstrate that training and compliance to auditors. Also have a feedback session result how these inductions helped the team effectively.
A.7.3.1 Termination or change of employment responsibilities
To protect the organization’s interests as part of the process of changing or terminating employment.
This Annex says that, if the termination happened for any employee, they are legally bound to maintain he information security. Employees should sign a Return of Property form policy where they return all the properties of the company. This is not just about the exit and termination, it’s about confidentiality. The organization must advise the employee that they don’t have access to information asset and must be kept confidential.