The importance of screening as an information security control

The importance of screening in an information security system

When it comes to information security, the human element is often the weakest link. No matter how advanced an organization’s technology and processes are, they can be undermined by insider threats—whether due to negligence, malicious intent, or lack of awareness. A robust screening process helps mitigate these risks by ensuring that individuals with access to sensitive information are trustworthy, reliable, and qualified.

ISO/IEC 27001:2022 and its requirements for screening 

ISO/IEC 27001:2022 mandates that organizations conduct background verification checks on all candidates before they are hired and continue these checks periodically in line with applicable laws, regulations, and ethical considerations. The depth of these checks should align with business needs, the sensitivity of the information to be accessed, and the perceived risks.

It’s important to note that ISO/IEC 27001 applies screening requirements to all personnel—full-time, part-time and temporary staff. Additionally, when engaging third-party suppliers or contractors, the organization must ensure that screening requirements are included in the contractual agreements with those vendors. This holds true even when personnel are sourced through employment agencies; agreements with such agencies should explicitly include screening requirements.

Implementing a robust screening process

To comply with ISO/IEC 27001:2022  organizations should establish clear procedures for screening. Such procedures should address:

• Screening requirements: What checks are necessary for each role, how the checks will be conducted, and who will manage the process.
• Fairness and transparency: The screening process should be transparent, equitable, and compliant with local laws, such as data protection regulations.
• Risk-based approach: The screening process should align with the role’s sensitivity, the associated security risks, and business requirements.

Typical screening checks include:

1. Verification of the individual’s identity.
2. Independent confirmation of claimed academic and professional qualifications.
3. A thorough review of the candidate’s CV for accuracy and completeness.
4. Reference checks, as appropriate.
5. Additional detailed checks, such as credit reports or criminal record reviews, for critical roles.

For roles involving highly sensitive information, organizations may consider even more rigorous checks, such as polygraph testing or drug screening.

Ongoing screening and re-evaluation

Screening should not be a one-time activity. Regular re-screening, particularly for employees in sensitive positions, helps organizations quickly identify any changes in an individual’s circumstances that could impact their suitability for a role.

Conclusion

Screening is a critical measure to mitigate the risks posed by insider threats, boost trust and confidence, and enhance compliance—not only with ISO/IEC 27001 requirements but also with broader regulatory frameworks. To get the most out of your screening process, consider the following best practices:

• Tailor screening to role sensitivity: Not every role requires the same level of scrutiny. High-risk positions demand more comprehensive checks.
• Stay compliant with laws and regulations: Ensure your screening process complies with data protection regulations like GDPR, particularly in handling personal data of candidates who are not hired.
• Complete screening before employment starts: Screening should ideally be completed before employment begins. If this isn’t possible, implement mitigating controls, such as delayed onboarding, restricted access, or phased deployment of assets until the screening is fully completed.

For a deeper dive into ISO/IEC 27001 and its requirements, consider our online course. We also offer a specialized course covering the 93 information security controls, including screening, as outlined in ISO/IEC 27002.

Ready to test your knowledge of information security management and ISO/IEC 27001 requirements? Try our online assessment and certification programs for practitioners and auditors. 

Upon passing our online test you receive a certificate demonstrating your expertise—an asset that can boost your career prospects.