What the auditor wants to verify
Audit objective
Verify that personnel screening is risk-based, lawful, completed before joining or sensitive access, and applied consistently to employees and non-employees in ISMS scope.
The auditor wants evidence that background verification checks are defined, applied, documented, and protected as personal data.
Evidence to request
| Evidence | Purpose |
|---|---|
| Screening policy or procedure | Shows screening rules are documented |
| Role-based screening matrix | Shows screening is proportional to role and access risk |
| Completed screening records | Shows checks were performed for sampled personnel |
| Identity verification records | Shows identity checks were completed |
| Qualification or certification verification | Shows claims were independently validated where needed |
| Reference check records | Shows independent verification activity occurred |
| Employment gap follow-up notes | Shows irregularities were reviewed |
| Contractor and third-party onboarding records | Shows non-employees are included |
| Access provisioning records | Shows access was not granted before screening completion |
| Screening data retention and access rules | Shows personal data is handled lawfully and securely |
Strong evidence
Strong evidence test
Prefer sampled records with dates, owners, check results, follow-up notes, and access timing.
- Screening applies to employees, contractors, temporary staff, and third-party users in ISMS scope.
- The depth of screening is linked to role risk, information classification, and business need.
- Checks were completed before start date or before sensitive access.
- Candidate-provided documents were independently verified where permitted.
- Exceptions, limitations, and follow-up actions were documented.
- Screening data is access-controlled, retained for a defined period, and disposed of appropriately.
Weak evidence
Weak evidence warning
Weak evidence usually shows a hiring process exists but does not prove background verification was performed or controlled.
- Candidate CVs are stored without verification evidence.
- Screening records are missing for contractors or temporary staff.
- Checks are completed after access is granted.
- Screening depth is the same for every role with no risk basis.
- Reference checks are verbal and undocumented.
- Screening records are broadly accessible or retained indefinitely.
Sample interview questions
Ask HR or recruitment
- Which roles require which screening checks?
- How do you verify identity, qualifications, employment history, and references?
- What happens when a previous employer only confirms dates and job title?
- How are employment gaps or inconsistencies handled?
- How do you protect screening records?
Ask hiring managers
- How do you know required screening is complete before the person starts?
- Do you request stronger screening for high-risk roles?
- What happens when a person changes into a more sensitive role?
Ask IT or access administrators
- Can access be provisioned before screening is complete?
- How do you verify screening completion before granting privileged access?
Common nonconformities
- No documented screening procedure.
- Screening not completed before joining or access.
- Contractors and third-party users excluded without justification.
- No role-risk basis for screening depth.
- Candidate-provided information accepted without verification.
- Follow-up on irregularities not documented.
- Screening records not handled according to privacy or data protection requirements.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A6 1
Note Metadata
Aliases: A.6.1 Evidence
Source: 04 Audit Evidence Packs/A.6.1 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.