search account download cart
static-aside-menu-toggler

Screening - ISO 27001 Annex A Control

ISO 27001 Annex A 6.1

Check who you are hiring before you give them access to the information.

ISO 27001 Annex A 6.1 - Screening

The control sits at the start of the employment relationship. Before someone joins the organisation - or moves into a role with access to more sensitive information - the organisation needs to verify that they are who they say they are, that the qualifications they claim are real, and that there is nothing in their background that creates an unacceptable risk for the role.

Proportionality matters. A general administrative role does not need the same depth of screening as a system administrator with access to all customer data, and an entry-level position does not need the same checks as a senior finance role. The control asks the organisation to think about the role's risk profile and apply checks that match. Over-screening is intrusive and may create legal issues. Under-screening leaves real exposure.

Screening continues to matter after recruitment. Where someone moves into a higher-risk role, additional checks may be needed. Where contractors or temporary staff have similar access, equivalent screening should apply. The principle is that the level of trust given through access matches the level of verification done.

The most common gap I see is contractors. Permanent staff get put through a proper recruitment process with reference checks and identity verification. Contractors come in through the agency or through a personal connection, get given the same access, and the screening question gets skipped. The control applies regardless of employment type.

I will ask to see how the screening level was decided for a sample of recent joiners. If everyone gets the same checks regardless of role, that is a sign the proportionality test is not being applied. If the checks scale with the access being granted - DBS for staff handling personal data, financial checks for finance roles, deeper background checks for senior or sensitive roles - that demonstrates the control is working.

Practical Compliance Guidance

Screening arrangements are described in the IMS1 manual at section 7 on competence and section 8.5 alongside the People Security Policy. The recruitment screening record provides the practical evidence.

alphaZ document How to use it
ISO 27001 Toolkit The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

As a baseline, identity verification, right to work in the UK, employment references and confirmation of any qualifications relied on for the role. Beyond that, additional checks should be applied based on role risk - DBS for roles involving regulated activity or vulnerable groups, financial checks for finance and senior roles, and sector-specific checks where applicable.
Yes, where they will have access equivalent to that of an employee. The mechanism may differ - the screening may be done by the agency under contract, or required as a condition of engagement - but the equivalent verification should be in place. The procurement contract should state the screening expectations clearly.
Apply the same checks consistently to all candidates for a given role, document the rationale for the level of checks chosen for that role, and only request information relevant to the role's information security requirements. Avoid checks that could be discriminatory or that go beyond what is necessary for the position.

UK Legislation

Several UK laws apply to recruitment screening for information security purposes:

Further Resources

payment logos