Requirement
Requirement lens
Screening is a people-risk control. The test is not whether HR has a hiring process; it is whether background verification is risk-based, lawful, documented, and applied before access is granted.
“Background verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.”
Plain-language meaning
The organization should check that people are who they claim to be, have the relevant background for the role, and do not present unmanaged personnel risk before they join or receive access.
The depth of screening should match the role. A person handling regulated customer data, privileged administration, finance approval, or sensitive investigations needs stronger checks than a short-term low-risk role. The organization must also stay inside applicable law, regulation, and ethical boundaries.
Why this matters
People can become the strongest control or the easiest path to compromise. Poor screening increases the chance of insider misuse, fraud, social engineering, unauthorized disclosure, and trust being given to someone whose background was never verified.
Screening also protects the organization from weak hiring assumptions. A CV, reference letter, or qualification supplied by the candidate is not strong evidence unless it is verified where legally permitted.
Implementation guidance
Implementer focus
Build screening into the joiner and contractor onboarding workflow. The control fails if verification happens after the person already has sensitive access.
1. Define who is in scope
Screening should cover people working within the ISMS scope, including:
- employees;
- contractors;
- temporary staff;
- consultants;
- third-party users who receive organization access or handle organization information.
Do not treat contractors as outside the control just because they are not on payroll.
2. Create a risk-based screening matrix
Use a matrix that maps role risk to screening depth.
| Role or access factor | Screening implication |
|---|---|
| Access to sensitive or classified information | Verify identity, employment history, references, and role suitability where permitted |
| Access to PII | Apply privacy and data-protection-aware screening and retention controls |
| Privileged system access | Consider stronger verification before admin access is granted |
| Finance, legal, HR, procurement, or security role | Check relevant qualifications, trust indicators, and conflicts where lawful |
| Low-risk temporary role | Use proportionate checks, not excessive collection |
Screening should be proportional. Over-screening can create legal, ethical, and privacy risk.
3. Verify independently where permitted
Possible checks include:
- identity verification;
- CV and employment history review;
- qualification and certification verification;
- reference checks;
- review of unexplained employment gaps or inconsistencies;
- confirmation of previous roles and responsibilities where the role is sensitive.
Some previous employers may only confirm dates and job title. That limitation is not a failure by itself, but the organization should document what was attempted, what was confirmed, and what follow-up was performed.
4. Control screening records as sensitive personal data
Screening records usually contain personal data and sometimes sensitive personal data. They should be protected using retention, access control, lawful purpose, and disposal rules aligned to A.5.34 Privacy and Protection of PII and A.5.33 Protection of Records.
Keep records long enough to support employment decisions, appeals, and audit needs, but do not keep them indefinitely without a lawful reason.
5. Decide when ongoing screening is justified
Ongoing screening does not mean constant intrusive monitoring. It means rescreening or updated verification where it is justified, lawful, ethical, and risk-based.
Examples:
- a person moves into a privileged administrator role;
- a contractor is extended into a higher-risk engagement;
- a regulated role requires periodic checks;
- a major access change increases exposure to classified or sensitive information.
Audit guidance
Auditor focus
Test whether screening is consistently applied before joining or access, including contractors and third-party users. Then test whether screening data itself is protected.
Auditors should verify that screening procedures exist, are applied consistently, and include appropriate verification checks for the role risk.
Audit testing should include:
- the screening procedure and screening matrix;
- samples of new hires and contractors;
- evidence that checks were completed before start date or before sensitive access;
- independent verification records, not only candidate-provided documents;
- documented follow-up on gaps, inconsistencies, or reference issues;
- interviews with HR, hiring managers, recruitment staff, and contractor owners;
- access control samples to confirm people were not provisioned early;
- privacy and data protection handling of screening records.
The auditor should challenge any process that screens employees but ignores contractors or third-party users who access the same information.
Evidence examples
Evidence quality
Strong evidence proves that screening was risk-based, completed on time, independently verified where possible, and protected as personal data.
| Evidence | What it proves |
|---|---|
| Screening policy or procedure | Screening process is documented |
| Role-based screening matrix | Screening depth is proportional to role risk |
| Completed screening records | Checks were performed for actual personnel |
| Identity verification record | Candidate identity was checked |
| Qualification verification | Claimed qualifications were validated |
| Reference check notes | Independent reference activity was performed |
| Employment gap follow-up | Irregularities were reviewed and documented |
| Contractor onboarding records | Non-employees are included in scope |
| Access provisioning timestamps | Access was not granted before screening completion |
| Privacy retention rules | Screening records are protected and retained lawfully |
Strong evidence
- Screening procedure covers employees, contractors, temporary staff, and third-party users in ISMS scope.
- Screening depth is mapped to role risk and information classification.
- Checks are completed before joining or before sensitive access is granted.
- Candidate-provided CVs, certificates, and references are independently verified where permitted.
- Employment gaps or irregularities are questioned and documented.
- Screening records are retained, restricted, and disposed of according to legal and privacy requirements.
- Ongoing screening is triggered by risk-based role or access changes.
Weak evidence
- Candidate-supplied CVs and certificates are accepted without verification.
- Checks happen after the person already starts work or receives access.
- Contractors and temporary staff are excluded without justification.
- Every role receives the same screening with no risk basis.
- Screening records are stored in open HR folders or retained indefinitely.
- Referee conversations or follow-up actions are not documented.
- The organization cannot explain legal limits on screening.
Common failures
Implementation watchouts
Screening fails when HR, security, and access provisioning are disconnected.
| Failure | Why it matters |
|---|---|
| Screening happens after onboarding | The risk has already been accepted without evidence |
| Contractors are ignored | Third-party access can create the same exposure as employees |
| No role-risk matrix | Screening becomes arbitrary or excessive |
| No independent verification | Candidate assertions are treated as facts |
| No privacy controls over screening data | The control creates a separate PII risk |
| No documented follow-up | Irregularities cannot be shown to have been considered |
| Rescreening triggers are unclear | Ongoing screening becomes either absent or intrusive |
Exam traps
Exam focus
The key word is proportional. The standard is not asking for the maximum possible background check for every person.
| Trap | Correct interpretation |
|---|---|
| Screening means criminal-record checks only | Screening can include identity, CV, qualifications, references, gaps, and role suitability checks where permitted |
| Everyone must receive the same depth of screening | Screening should be proportional to business need, information classification, and perceived risk |
| Contractors are outside employment controls | A.6.1 covers people working in ISMS scope, including contractors and third-party users |
| Ongoing screening means constant monitoring | Ongoing screening should be risk-based, lawful, ethical, and triggered by role/access need |
| More screening is always better | Excessive screening can breach law, ethics, privacy, or proportionality |
| Candidate documents are enough | Strong evidence usually requires independent verification where permitted |
Related controls and concepts
- A.6 People Controls MOC
- A.6.2 Terms and Conditions of Employment
- A.5.31 Legal, Statutory, Regulatory and Contractual Requirements
- A.5.34 Privacy and Protection of PII
- A.5.33 Protection of Records
- Roles and Responsibilities
- Risk Assessment
- Statement of Applicability
- Internal Audit
- Personnel Screening Register
- Background Verification Checklist
- A.6.1 Audit Evidence Pack
- A.6.1 Audit Checklist
KB-ready summary
- Screening is a risk-based personnel trust control.
- Checks should happen before joining or before sensitive access is granted.
- Screening applies to employees, contractors, temporary staff, and third-party users in ISMS scope.
- Screening depth should reflect business requirements, information classification, role sensitivity, and perceived risk.
- Independent verification is stronger than candidate-provided documents.
- Screening records are sensitive personal data and must be protected.
- Ongoing screening should be lawful, ethical, proportionate, and triggered by justified risk changes.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- People controls
- Personnel security
- Screening
- Audit
Note Metadata
Aliases: A.6.1, Screening
Source: 03 Annex A People Controls/A.6.1 Screening.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
10
links
Control
ISO 27001 A.6.1 - ScreeningRequirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Internal Audit
- Risk Assessment
- Roles and Responsibilities
- Statement of Applicability
- ISO 27001 A.5.31 - Legal, Statutory, Regulatory and Contractual Requirements
- ISO 27001 A.5.33 - Protection of Records
- ISO 27001 A.5.34 - Privacy and Protection of PII
- ISO 27001 A.6.2 - Terms and Conditions of Employment
- ISO 27001 A.6.3 - Information Security Awareness, Education and Training
- A.6 People Controls MOC
- A.6.1 Audit Evidence Pack
- AQ-ISO27001-A.6.1 Screening
- A.6 People Controls Implementation Guide
- A.6 People Controls Audit Guide
- ISO27001-A.6.1 Screening
- A.6 People Controls Implementation Audit Risk Mapping
- EXAM-016 - People Controls: Screening and Employment Terms
- ISO 27002 Annex A Control Interpretation Map
- A.6.1 Audit Checklist
- Background Verification Checklist
- Personnel Screening Register
- Annex A Controls MOC