UnixTime

Research Note

ISO 27001 A.6.1 - Screening

The organization should check that people are who they claim to be, have the relevant background for the role, and do not present unmanaged personnel risk before they join or re...

On this page

Requirement

Requirement lens

Screening is a people-risk control. The test is not whether HR has a hiring process; it is whether background verification is risk-based, lawful, documented, and applied before access is granted.

“Background verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.”

Plain-language meaning

The organization should check that people are who they claim to be, have the relevant background for the role, and do not present unmanaged personnel risk before they join or receive access.

The depth of screening should match the role. A person handling regulated customer data, privileged administration, finance approval, or sensitive investigations needs stronger checks than a short-term low-risk role. The organization must also stay inside applicable law, regulation, and ethical boundaries.

Why this matters

People can become the strongest control or the easiest path to compromise. Poor screening increases the chance of insider misuse, fraud, social engineering, unauthorized disclosure, and trust being given to someone whose background was never verified.

Screening also protects the organization from weak hiring assumptions. A CV, reference letter, or qualification supplied by the candidate is not strong evidence unless it is verified where legally permitted.

Implementation guidance

Implementer focus

Build screening into the joiner and contractor onboarding workflow. The control fails if verification happens after the person already has sensitive access.

1. Define who is in scope

Screening should cover people working within the ISMS scope, including:

  • employees;
  • contractors;
  • temporary staff;
  • consultants;
  • third-party users who receive organization access or handle organization information.

Do not treat contractors as outside the control just because they are not on payroll.

2. Create a risk-based screening matrix

Use a matrix that maps role risk to screening depth.

Role or access factor Screening implication
Access to sensitive or classified information Verify identity, employment history, references, and role suitability where permitted
Access to PII Apply privacy and data-protection-aware screening and retention controls
Privileged system access Consider stronger verification before admin access is granted
Finance, legal, HR, procurement, or security role Check relevant qualifications, trust indicators, and conflicts where lawful
Low-risk temporary role Use proportionate checks, not excessive collection

Screening should be proportional. Over-screening can create legal, ethical, and privacy risk.

3. Verify independently where permitted

Possible checks include:

  • identity verification;
  • CV and employment history review;
  • qualification and certification verification;
  • reference checks;
  • review of unexplained employment gaps or inconsistencies;
  • confirmation of previous roles and responsibilities where the role is sensitive.

Some previous employers may only confirm dates and job title. That limitation is not a failure by itself, but the organization should document what was attempted, what was confirmed, and what follow-up was performed.

4. Control screening records as sensitive personal data

Screening records usually contain personal data and sometimes sensitive personal data. They should be protected using retention, access control, lawful purpose, and disposal rules aligned to A.5.34 Privacy and Protection of PII and A.5.33 Protection of Records.

Keep records long enough to support employment decisions, appeals, and audit needs, but do not keep them indefinitely without a lawful reason.

5. Decide when ongoing screening is justified

Ongoing screening does not mean constant intrusive monitoring. It means rescreening or updated verification where it is justified, lawful, ethical, and risk-based.

Examples:

  • a person moves into a privileged administrator role;
  • a contractor is extended into a higher-risk engagement;
  • a regulated role requires periodic checks;
  • a major access change increases exposure to classified or sensitive information.

Audit guidance

Auditor focus

Test whether screening is consistently applied before joining or access, including contractors and third-party users. Then test whether screening data itself is protected.

Auditors should verify that screening procedures exist, are applied consistently, and include appropriate verification checks for the role risk.

Audit testing should include:

  • the screening procedure and screening matrix;
  • samples of new hires and contractors;
  • evidence that checks were completed before start date or before sensitive access;
  • independent verification records, not only candidate-provided documents;
  • documented follow-up on gaps, inconsistencies, or reference issues;
  • interviews with HR, hiring managers, recruitment staff, and contractor owners;
  • access control samples to confirm people were not provisioned early;
  • privacy and data protection handling of screening records.

The auditor should challenge any process that screens employees but ignores contractors or third-party users who access the same information.

Evidence examples

Evidence quality

Strong evidence proves that screening was risk-based, completed on time, independently verified where possible, and protected as personal data.

Evidence What it proves
Screening policy or procedure Screening process is documented
Role-based screening matrix Screening depth is proportional to role risk
Completed screening records Checks were performed for actual personnel
Identity verification record Candidate identity was checked
Qualification verification Claimed qualifications were validated
Reference check notes Independent reference activity was performed
Employment gap follow-up Irregularities were reviewed and documented
Contractor onboarding records Non-employees are included in scope
Access provisioning timestamps Access was not granted before screening completion
Privacy retention rules Screening records are protected and retained lawfully

Strong evidence

  • Screening procedure covers employees, contractors, temporary staff, and third-party users in ISMS scope.
  • Screening depth is mapped to role risk and information classification.
  • Checks are completed before joining or before sensitive access is granted.
  • Candidate-provided CVs, certificates, and references are independently verified where permitted.
  • Employment gaps or irregularities are questioned and documented.
  • Screening records are retained, restricted, and disposed of according to legal and privacy requirements.
  • Ongoing screening is triggered by risk-based role or access changes.

Weak evidence

  • Candidate-supplied CVs and certificates are accepted without verification.
  • Checks happen after the person already starts work or receives access.
  • Contractors and temporary staff are excluded without justification.
  • Every role receives the same screening with no risk basis.
  • Screening records are stored in open HR folders or retained indefinitely.
  • Referee conversations or follow-up actions are not documented.
  • The organization cannot explain legal limits on screening.

Common failures

Implementation watchouts

Screening fails when HR, security, and access provisioning are disconnected.

Failure Why it matters
Screening happens after onboarding The risk has already been accepted without evidence
Contractors are ignored Third-party access can create the same exposure as employees
No role-risk matrix Screening becomes arbitrary or excessive
No independent verification Candidate assertions are treated as facts
No privacy controls over screening data The control creates a separate PII risk
No documented follow-up Irregularities cannot be shown to have been considered
Rescreening triggers are unclear Ongoing screening becomes either absent or intrusive

Exam traps

Exam focus

The key word is proportional. The standard is not asking for the maximum possible background check for every person.

Trap Correct interpretation
Screening means criminal-record checks only Screening can include identity, CV, qualifications, references, gaps, and role suitability checks where permitted
Everyone must receive the same depth of screening Screening should be proportional to business need, information classification, and perceived risk
Contractors are outside employment controls A.6.1 covers people working in ISMS scope, including contractors and third-party users
Ongoing screening means constant monitoring Ongoing screening should be risk-based, lawful, ethical, and triggered by role/access need
More screening is always better Excessive screening can breach law, ethics, privacy, or proportionality
Candidate documents are enough Strong evidence usually requires independent verification where permitted

KB-ready summary

  • Screening is a risk-based personnel trust control.
  • Checks should happen before joining or before sensitive access is granted.
  • Screening applies to employees, contractors, temporary staff, and third-party users in ISMS scope.
  • Screening depth should reflect business requirements, information classification, role sensitivity, and perceived risk.
  • Independent verification is stronger than candidate-provided documents.
  • Screening records are sensitive personal data and must be protected.
  • Ongoing screening should be lawful, ethical, proportionate, and triggered by justified risk changes.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • People controls
  • Personnel security
  • Screening
  • Audit

Note Metadata

Aliases: A.6.1, Screening

Source: 03 Annex A People Controls/A.6.1 Screening.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

10

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.