Annex A Controls

A.6.1 through A.6.3 — Screening Employment Terms and Awareness

Alex Fuerst

25 Sep 2025 — 6 min read

A.6.1 Screening — Risk-Proportionate Verification That Actually Works

Control A.6.1 requires background verification checks on all personnel candidates, carried out prior to joining and ongoing, taking into consideration applicable laws and being proportional to business requirements, information classification, and perceived risks. What this means in practice: your screening program needs to be stratified, legally compliant, and actually completed before people start work.

The most common failure I encounter during audits isn't inadequate screening procedures — it's the complete disconnect between what's documented and what actually happens. Organizations create comprehensive screening matrices on paper, then routinely bypass them under hiring pressure. I've seen financial services firms grant privileged access before criminal background checks returned, and healthcare organizations onboard nurses handling patient data while reference checks were still pending.

Building Risk-Based Screening Tiers

Your screening program should define at least three verification levels based on role sensitivity and access requirements:

Standard Access Roles: Identity verification (passport/driving license), right-to-work documentation, employment history verification for past two years, basic professional reference checks
Elevated Access Roles: All standard checks plus criminal background screening, credit checks where legally permitted, verification of claimed qualifications and certifications, extended employment history (5+ years)
High-Risk Roles: All elevated checks plus enhanced financial disclosure, security clearances where applicable, social media review within legal boundaries, psychological assessment for critical positions

The key distinction lies in your role mapping. System administrators, finance personnel, and anyone with access to personal data typically require elevated screening. C-level executives, security personnel, and roles with access to highly classified information warrant high-risk screening. Document this mapping clearly — auditors will cross-reference your screening records against role classifications.

Auditor Insight: I always check whether screening levels actually match the access granted. A common finding is junior staff with administrative privileges receiving only basic screening while senior management with limited system access gets comprehensive vetting.

The Pre-Employment Access Problem

ISO 27002:2022 acknowledges that verification may not complete in timely fashion and specifies mitigating controls: delayed onboarding, delayed asset deployment, onboarding with reduced access, or employment termination. Your procedure must define these fallback positions.

At a technology startup I audited, hiring pressure consistently overrode screening completion. Their solution: implement a "provisional access" category for urgent hires. Provisional employees received restricted network access, required escort in secure areas, had enhanced activity logging, and faced automatic termination if screening failed. This approach satisfied business needs while maintaining security posture.

Ongoing Screening Requirements

The 2022 revision explicitly emphasizes ongoing verification — something many organizations completely ignore. Your procedure should address:

Periodic re-verification schedules (every 3-5 years for sensitive roles)
Self-disclosure requirements for material changes in circumstances
Automated monitoring against relevant databases where legally permitted
Clear policies requiring employees to report criminal convictions, financial difficulties, or other relevant changes

Legal compliance varies dramatically by jurisdiction. European GDPR restrictions, US state privacy laws, and industry-specific regulations all impact what ongoing screening you can perform. Engage legal counsel before implementing continuous monitoring.

A.6.2 Terms and Conditions of Employment — Making Security Obligations Enforceable

Control A.6.2 requires that employment agreements define personnel and organizational information security responsibilities, taking into consideration applicable laws. The control cross-references several other standards — ISO 27017 for cloud-specific roles, ISO 27018 for PII processing responsibilities, and ISO 27036 for supplier management roles.

Most organizations treat this as a boilerplate exercise, burying generic security clauses in dense employment contracts. During audits, I test whether employees actually understand their security obligations by asking specific questions about incident reporting, acceptable use, or data handling. The results are typically disappointing.

Essential Security Clauses

Your employment terms should explicitly address:

Acceptable use of information systems — referencing your Control 5.10 policy with specific examples of prohibited activities
Information classification and handling — linking to Controls 5.12 and 5.13 with role-specific requirements
Incident reporting obligations — connecting to Control 5.24 with clear escalation procedures and timeframes
Password and authentication requirements — implementing Control 5.17 and 5.18 requirements
Remote working provisions — satisfying Control 6.7 if applicable to the role
Confidentiality obligations — extending beyond employment termination
Disciplinary consequences — linking to Control 6.4 procedures

The key is specificity. Instead of "employees must maintain confidentiality," specify "employees handling customer data classified as CONFIDENTIAL under our information classification scheme must not discuss such information outside designated secure areas, share access credentials, or store such data on personal devices."

Role-Specific Security Responsibilities

Different roles require different security obligations. Your employment terms should differentiate between:

General users: Basic acceptable use, incident reporting, password hygiene
Privileged users: Enhanced monitoring acceptance, additional access controls, specialized training requirements
Remote workers: Home office security, secure connectivity, equipment handling
Third-party personnel: Limited access acknowledgment, visitor escort requirements, data return obligations

Common Mistake: Organizations often fail to update employment terms when roles change. An employee promoted from general user to database administrator should sign amended terms reflecting their new security responsibilities.

A.6.3 Information Security Awareness, Education and Training — Beyond Click-Through Compliance

Control A.6.3 requires that personnel receive appropriate information security awareness, education, and training with regular updates on policies and procedures relevant to their job function. The control emphasizes assessment of understanding and effectiveness measurement — requirements most organizations completely ignore.

I consistently find organizations treating awareness as an annual compliance exercise rather than an ongoing risk reduction program. Employees click through generic modules while checking phones, then immediately forget everything they've seen. Meanwhile, phishing success rates remain unchanged, and password hygiene stays poor.

Designing Effective Awareness Programs

ISO 27002:2022 distinguishes between awareness (general consciousness-raising) and training (specific skill development). Your program should include both:

Awareness Components:

Management commitment communications
Policy and procedure updates
Personal accountability messaging
Incident lessons learned
Contact points for security guidance

Training Components:

Role-specific technical skills
Hands-on security tool training
Incident response procedures
Specialized compliance requirements

Effective programs use multiple delivery channels: in-person briefings, interactive workshops, targeted communications, simulated phishing, security newsletters, and just-in-time guidance during risky activities.

Assessment and Effectiveness Measurement

The standard explicitly requires testing knowledge transfer and program effectiveness. Your approach should include:

Comprehension testing: Quizzes and practical exercises following training sessions
Behavioral measurement: Phishing simulation results, incident reporting rates, policy violation trends
Skills verification: Practical demonstrations for technical roles
Feedback collection: Participant evaluations and improvement suggestions

At a manufacturing company I audited, they replaced generic e-learning with role-specific workshops. Production staff learned about USB device risks in their environment. Finance personnel practiced identifying business email compromise. IT staff conducted tabletop incident response exercises. Post-training assessments showed 85% comprehension rates versus 45% with their previous approach.

Ongoing and Targeted Training

Your training program should address:

New hire orientation: Comprehensive security introduction within first 30 days
Role change training: Updated requirements when responsibilities change
Annual refresher: Policy updates and emerging threat awareness
Incident-driven training: Targeted awareness following security events
Specialized training: Technical skills for security-critical roles

Cross-reference with ISO 27017 for cloud security training requirements, ISO 27018 for privacy protection training, and sector-specific standards for specialized awareness needs.

What Auditors Look For

During audit fieldwork, I examine:

Screening Evidence:

Screening procedures mapped to role classifications
Completed verification records with timing documentation
Approval records showing screening completion before access granted
Ongoing verification schedules and completion records
Legal compliance documentation for your jurisdiction

Employment Terms Evidence:

Signed employment agreements with current security clauses
Updated terms for role changes or policy updates
Evidence employees understand their obligations
Disciplinary procedures and enforcement records

Awareness Program Evidence:

Training records with completion dates and assessment results
Program effectiveness measurements and improvement actions
Role-specific training materials and delivery records
Incident-driven awareness initiatives
Management review of program performance

These three controls form the foundation of human resource security. When implemented properly, they create a workforce that's appropriately vetted, clearly aware of their obligations, and continuously educated about evolving threats. When treated as compliance exercises, they become administrative burdens that provide little risk reduction.

The investment in properly implementing Controls 6.1 through 6.3 pays dividends across your entire ISMS. Well-screened, informed employees become your strongest defense against both external attacks and insider threats. The alternative — hoping that technical controls alone will protect you — consistently proves inadequate in real-world scenarios.

For deeper implementation guidance and practical templates, consider joining our ISO 27001 Info Hub community where practitioners share real-world experiences and proven approaches.

Need personalized guidance? Reach our team at ix@isegrim-x.com.