A.8 Human resources security

A.8.1 Prior to employment

Objective: To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.

A.8.1.1 Roles and responsibilities

Control

Security roles and responsibilities of employees, contractors and third party users shall be defined and documented in accordance with the organization’s information security policy.

A.8.1.2 Screening

Control

Background verification checks on all candidates for employment, contractors, and third party users shall be carried out in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risks.

A.8.1.3 Terms and conditions of employment

Control

As part of their contractual obligation, employees, contractors and third party users shall agree and sign the terms and conditions of their employment contract, which shall state their and the organization’s responsibilities for information security.