UnixTime

Research Note

EXAM-016 - People Controls: Screening and Employment Terms

- Screening must be lawful, ethical, proportional, and risk-based. - Screening applies to employees, contractors, temporary staff, and third-party users in ISMS scope. - Candida...

On this page

Memory cues

Control Cue
A.6.1 Screening Verify the person before trust is granted
A.6.2 Terms and Conditions of Employment Make security responsibilities explicit before work starts

What the exam is likely testing

  • Screening must be lawful, ethical, proportional, and risk-based.
  • Screening applies to employees, contractors, temporary staff, and third-party users in ISMS scope.
  • Candidate-supplied documents are weak unless independently verified where permitted.
  • Employment terms must state both personnel and organization information security responsibilities.
  • Confidentiality agreements support A.6.2 but do not replace broader security responsibility terms.
  • Personnel data collected for screening or HR purposes must be protected.

Common wrong answers

Wrong answer Why it is wrong
Screen everyone with the strongest possible check Violates proportionality and may violate law or ethics
Accept the CV and certificates because HR collected them Collection is not independent verification
Contractors do not need screening or security terms People in ISMS scope can include contractors and third-party users
NDA equals A.6.2 compliance A.6.2 covers broader security responsibilities
Terms can be signed after access is granted The control expects responsibilities to be clear before work or access
Ongoing screening means continuous surveillance It should be lawful, ethical, and risk-triggered

Quick distinction

Question A.6.1 A.6.2
Main purpose Verify suitability and reduce personnel trust risk Define accepted security responsibilities
Timing Before joining or before sensitive access; ongoing when justified Before work starts or before confidential access
Evidence Screening records, verification notes, risk-based matrix Signed terms, confidentiality agreements, acknowledgements
Main owner HR/recruitment with security and managers HR/legal/procurement with security and managers
Key trap Over-screening or under-screening Treating NDA as the whole control

Practical mentor takeaway

Last-day cue

A.6.1 asks: did we check the person appropriately before trusting them? A.6.2 asks: did the person and organization clearly accept their security responsibilities before work or access?

  • Iso27001
  • ISO27002
  • Exam
  • People controls

Note Metadata

Aliases: A.6.1 vs A.6.2 exam cues

Source: 09-Exam-Preparation/EXAM-016-People-Controls-Screening-and-Terms.md