Memory cues
| Control | Cue |
|---|---|
| A.6.1 Screening | Verify the person before trust is granted |
| A.6.2 Terms and Conditions of Employment | Make security responsibilities explicit before work starts |
What the exam is likely testing
- Screening must be lawful, ethical, proportional, and risk-based.
- Screening applies to employees, contractors, temporary staff, and third-party users in ISMS scope.
- Candidate-supplied documents are weak unless independently verified where permitted.
- Employment terms must state both personnel and organization information security responsibilities.
- Confidentiality agreements support A.6.2 but do not replace broader security responsibility terms.
- Personnel data collected for screening or HR purposes must be protected.
Common wrong answers
| Wrong answer | Why it is wrong |
|---|---|
| Screen everyone with the strongest possible check | Violates proportionality and may violate law or ethics |
| Accept the CV and certificates because HR collected them | Collection is not independent verification |
| Contractors do not need screening or security terms | People in ISMS scope can include contractors and third-party users |
| NDA equals A.6.2 compliance | A.6.2 covers broader security responsibilities |
| Terms can be signed after access is granted | The control expects responsibilities to be clear before work or access |
| Ongoing screening means continuous surveillance | It should be lawful, ethical, and risk-triggered |
Quick distinction
| Question | A.6.1 | A.6.2 |
|---|---|---|
| Main purpose | Verify suitability and reduce personnel trust risk | Define accepted security responsibilities |
| Timing | Before joining or before sensitive access; ongoing when justified | Before work starts or before confidential access |
| Evidence | Screening records, verification notes, risk-based matrix | Signed terms, confidentiality agreements, acknowledgements |
| Main owner | HR/recruitment with security and managers | HR/legal/procurement with security and managers |
| Key trap | Over-screening or under-screening | Treating NDA as the whole control |
Practical mentor takeaway
Last-day cue
A.6.1 asks: did we check the person appropriately before trusting them? A.6.2 asks: did the person and organization clearly accept their security responsibilities before work or access?
- Iso27001
- ISO27002
- Exam
- People controls
Note Metadata
Aliases: A.6.1 vs A.6.2 exam cues
Source: 09-Exam-Preparation/EXAM-016-People-Controls-Screening-and-Terms.md