A.6.1 ISO 27001

ISO 27001 A.6.1: Screening

What This Control Requires

Background verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

In Plain Language

Before giving someone access to your systems and data, you need to know they are who they say they are. Background screening verifies identity, checks employment history, validates qualifications, and where appropriate, looks at criminal records and credit history.

The depth of screening should match the sensitivity of the role. A customer support agent and a database administrator with root access to production represent very different risk profiles and should be screened accordingly. This applies equally to employees, contractors, and temporary staff - auditors will check that you are not applying different standards.

Screening is not just a one-off exercise at hiring. Circumstances change over time, so people in sensitive roles may need periodic re-screening. The entire process must comply with privacy, anti-discrimination, and employment laws, which vary considerably between jurisdictions.

How to Implement

Create a screening policy that defines check types and depth based on role sensitivity. Set up role categories: standard screening for general positions, enhanced screening for roles with access to sensitive information, and comprehensive screening for privileged or high-trust positions.

For standard screening, cover identity verification (government-issued ID), right to work, employment history with previous employers, educational qualifications, and professional references. For enhanced screening, add criminal background checks (where legally permitted), credit checks for financial roles, professional licence verification, and social media review.

Decide which checks you will run in-house versus outsourcing to specialist screening providers. Complete screening before the individual starts work, or at the very least before they get access to sensitive information or systems.

Get the legal side right. Obtain informed consent from candidates before running checks. Comply with data protection laws for the personal data you collect. Follow equal opportunity laws and avoid discriminatory practices. Define clearly how screening results will be evaluated and what constitutes a failure.

For high-sensitivity roles, implement ongoing screening - for example, annual criminal background re-checks. Watch for changes in circumstances that could affect risk, such as financial difficulties for staff handling money. Have clear procedures for what happens when an existing employee fails a re-screening check.

Keep proper records of all screening conducted, stored securely with restricted access. Define retention periods based on legal requirements.

Evidence Your Auditor Will Request

Documented screening policy defining checks by role category
Screening records for recent new hires showing completed checks
Third-party screening provider contracts and service level agreements
Consent forms signed by candidates authorizing background checks
Records of ongoing screening activities for personnel in sensitive roles

Common Mistakes

Screening is not completed before individuals are granted access to systems and data
Contractors and temporary staff are not subject to the same screening standards
Screening depth does not vary based on role sensitivity and access level
No ongoing screening program for personnel in high-sensitivity roles
Screening records are not maintained or are stored insecurely

Related Controls Across Frameworks

Framework	Control ID	Relationship
SOC 2	CC1.4	Related
GDPR	Art.6	Partial overlap
NIS2	Art.21(2)(i)	Partial overlap

Frequently Asked Questions

What screening is required by ISO 27001?

The standard does not prescribe specific checks - it says screening must be proportional to the role's sensitivity, the information classification, and the perceived risks. You decide what is appropriate for each role. At a minimum, auditors expect identity verification and employment history checks. For more sensitive positions, criminal background and qualification verification are standard practice.

Can we screen contractors and third-party personnel?

Yes, and you really should. Include screening requirements in your contracts with staffing agencies and suppliers who provide personnel. Specify minimum standards and require evidence of completed screening before the person starts work. If the third party handles the screening, verify that their process meets your requirements. Make sure your agreements give you the right to request screening records.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment