Longer serving personnel also need to have their awareness maintained with regular training and communication. Information security awareness, education and training (6.3)Įmployees need information security training when they join the organisation of change roles. The employees’ contracts should also include the organisation’s relevant information security policy, including a confidentiality agreement if the employee will be have access to confidential information. This could be communicated via a signed code of conduct or similar method. Terms and conditions of employment (6.2)īefore beginning work, the employee needs to be aware of the organisation’s information security policy, including information security roles and responsibilities. For information security roles in particular, screening should also include necessary competences and trustworthiness, and this should be documented accordingly. Some roles within an organisation may require a higher level of screening, for example if employees will be handling confidential information.
The policy needs to take into account both local legislation and regulations and the role of the new employee to insure that screening is sufficient but not disproportionate. This is to ensure that employees are competent and trustworthy. Screening (6.1)Īn information security management system needs a policy for screening all new or promoted employees, including consultants and temporary staff. A detailed explanation of the previous controls can be found in this blog post. Those familiar with the 2013 version, will find a few new controls in this version. In the previous version, ISO 27002:2013, many of these controls were to be found in chapter 7, Human Resources.
This is the second article in a series of four, each article covering one chapter:
This covers the controls required for secure human resources management. In this article, we explain the new ISO 27002:2022 chapter 6 – People controls.
0 kommentar(er)
