Annex A of ISO 27001 is an essential tool for managing security. In this third blog on ISO Controls in Annex A, we will discuss Control A:7 in more depth. This control is specifically designed to prevent information breaches within the organisation through its employees.
Annex A:7 focuses on ensuring that employees and contractors are aware of and fulfil their information security responsibilities.
Annex A:7 Human resources security
Annex A.7.1 covers important aspects prior to employment. The primary objective of this Annex is to raise awareness about information security among employees and contractors. Business owners must ensure their HR teams develop and communicate these policies to employees.
A.7.2.1 Prior to employment – management responsibilities
This section emphasises that an effective HR team can efficiently lead employees. However, to maintain information security, management must be responsible for explaining policies and procedures to secure information to employees and contractors. Every organisation must ensure that all employees and contractors:
- Understand information security threats, vulnerabilities, and controls relevant to their roles. They should receive regular training (as per A.7.2.2).
- Undergo background checks before being granted access to any data.
- Acknowledge all legal regulations and policies as per business requirements.
- Have a contractual agreement stating the organisation’s responsibilities in case of any information security breach.
A.7.2.2 During employment – Information Security awareness, education & training
During employment, all employees and relevant contractors must receive ongoing education and training to perform their jobs securely. They must be regularly updated on organisational policies and procedures, especially when changes occur. Policies should provide a clear understanding of applicable legislation affecting their roles. Organisations can form a security team alongside HR or the Learning and Development team to conduct training sessions. These induction sessions should be held every six months, yearly, or whenever significant changes occur. It is essential to demonstrate training and compliance to auditors and gather feedback on how these inductions have effectively helped the team.
Get your FREE ISO Gap Analysis Checklist
A.7.3.1 Termination or change of employment responsibilities
To protect the organisation’s interests during changes or termination of employment, Annex A.7.3.1 states that if an employee is terminated, they are legally bound to maintain information security. Employees should sign a Return of Property form, ensuring they return all company property. This policy covers confidentiality beyond just exit and termination. The organisation must inform the employee that they no longer have access to information assets and must keep all information confidential.
For more guidance on achieving ISO 27001 certification and understanding Annex A:7, contact Citation Certification today. We provide comprehensive support and training to help your organisation meet all necessary requirements and achieve compliance with ISO 27001 standards.