Screening

ISO 27001:2022 Annex A control A.6.1 requires background verification checks on all candidates to become personnel. These checks must be completed before joining, be ongoing where applicable, comply with local laws, and be proportional to the business requirements and perceived risks.

Yes, pre-employment screening is a mandatory control to satisfy ISO 27001 A.6.1 screening requirements. However, the depth and type of checks are determined by your organization's risk assessment, role requirements, and what is legally permissible in your specific jurisdiction.

Acceptable checks typically include identity verification, criminal record checks, employment history validation, education checks, and sometimes credit checks. The specific types must align with your ISO 27001 background check policy template and be risk-based.

Yes, contractor and third-party screening ISO 27001 is required. Anyone granted access to the organization's information assets must be appropriately vetted, either directly by the organization or contractually through the third-party provider's own established screening process.

Risk-based employee screening criteria ISO 27001 is defined by classifying roles based on the sensitivity of the data they access. For instance, an executive or system administrator with access to critical systems requires more extensive checks than a temporary worker with limited, low-risk access.

Ongoing employee re-screening ISO 27001 should be conducted proportionally to the risk of the role or upon significant changes in job responsibilities. Best practice often dictates re-screening personnel in highly privileged or sensitive roles every few years or during internal transfers.

To pass an ISO 27001 audit for A.6.1 screening, auditors expect to see a documented personnel screening procedure ISO 27001:2022, anonymized or redacted background check reports, and confirmation in HR records that screening was completed prior to the employee's start date.

To document screening results for ISO 27001 properly, records must be stored securely with strict access controls, typically within an HRIS, ensuring confidentiality. Retention must adhere to privacy laws, minimizing the storage of highly sensitive data once the hiring decision is finalized. WatchDog Security's Secure File Sharing can support controlled access and audit logging when screening artifacts need to be exchanged with authorized reviewers or stored as governed files outside an HRIS.

Legal and privacy considerations for background checks ISO 27001 mandate that you only perform checks permitted by local legislation. If criminal or credit checks are banned in a jurisdiction, organizations can rely on permitted alternatives such as reference checks, identity verification, and strict confidentiality agreements.

ISO 27001 screening (A.6.1) focuses entirely on vetting and verifying the background and trustworthiness of individuals before they are hired. Onboarding security controls relate to what happens after hiring, such as provisioning logical access, signing NDAs, and completing security awareness training.

Screening programs often fail in practice because HR and security teams lack a consistent way to apply different screening depths to different roles and to prove decisions were risk-based. WatchDog Security's Risk Register can document role-based screening risks, define treatment requirements (e.g., deeper checks for privileged roles), and record approvals and review cadence so screening levels remain consistent and auditable.

Background check results are highly confidential and can create privacy exposure if shared through email or stored in uncontrolled folders. WatchDog Security's Secure File Sharing helps teams store and share screening records with encrypted access, TOTP verification, and audit logs so only authorized reviewers can access them and access history is provable during an audit.