Human Resources


With people playing a major role in the implementation of security driven procedures and processes, it is critical that the management of that organisation’s human resource is aware of obligations in relation to this.

Each of the different phases in the employment life-cycle can have an impact on elements of the company’s technology and security framework, which demands alignment between an Information Security Management System and all processes in employment matters. This involves the processes of recruitment of new employees, changes of roles within the organisation, through to the processes around employees leaving the company.

The ISMS should include guidelines and policies for the organisation in the following topics:

  • Recruitment / Prior to Employment
  • Screening / Employee Checks
  • Onboarding / Induction and Training
  • Awareness / Ongoing Education
  • Change or Termination of Employment
  • Disciplinary

This particular topic is obviously relevant for large organisations with a range of departments and roles carrying out the company’s operational processes, many of which will involve the use of technology and the security measures that must be observed. However, even in smaller organisations, the principles behind the ISMS policies on human resources are still valid. In mid-size and small companies, there may be fewer individuals responsible for the functions normally carried out by several different roles in a large business or corporate environment. Elevated risks may be present simply because a small number of individuals will have access to several systems and information sets. So there will be a need to adapt the policies recommended here to take account of the smaller scale of the operating environment. Special consideration should be given to how employee education and training can be used to highlight challenges such as this.

    Policy Explanation

    To provide clarity during the recruitment process, recruiting managers naturally need to be familiar with employment legislation, the company’s own HR guidelines and the recruitment process itself. This is essential to allow recruiters to make the best decisions on how to carry out the recruitment effort. Also important for the recruiter is knowledge of the technology in place within the organsation and how different roles interact with the technology. This knowledge will assist the recruiter in considering the security risks associated with each role, so sensible decisions on recruitment can be made.

    To aid the recruiter, initial screening of candidates CVs and previous work history should be carried out and identity must be confirmed. In many organisations, the potential risk of fraud, misuse of facilities and theft discovered during screening can influence the suitability of potential candidates – this is especially important in industries where handling of cash and financial information is part of the role. For some industries, a police check may be necessary to determine whether criminal convictions are present – this may also influence the thinking on whether a candidate is suitable for a particular role.   

    At the employment offer stage, or possibly prior to that, reference checks from previous employers and validation of qualifications should be done based on a standard process. The Terms and Conditions of Employment should include details of security responsibilities for some roles, particularly those roles that involve access to sensitive systems and information.

    Onboarding should include training relevant to the role. Training of all new employees must include raising awareness of security and the ISMS policies in place. This should include dealing with security incidents and knowledge of appropriate channels for reporting security related matters.

    Change or termination of employment and the disciplinary process should include measures designed to prevent information leakage or malicious damage to data and systems. This should include processes to ensure quick termination of user accounts and privileges and to handle the return of company provided premises access cards, identity cards, technology devices, etc.

    More To Come...

    Look out for the next instalment in this topic.

    In the meantime, browse more Thistle Tech posts by clicking this button.

    Need Assistance?

    If you need assistance with this topic,

    or advice on any other aspect of what we do,

    feel free to contact us using this button.