ISO 27001 Annex : A.7.3 Termination and Change of Employment Its objective is to safeguard the interests of the organization as part of the adjustment or termination of employment.
A.7.3.1 Termination or change of Employment Responsibilities
Control- Responsibility and information security requirements that continue to be valid following termination or change of employment must be defined, communicated to, and implemented by the employee or contractor.
Implementation Guidance- Communication of termination duties may include on-going information security requirements and legal responsibilities and, as applicable, the duties found in the confidentiality arrangement and the terms and conditions of employment to be maintained for a specified time following the termination of the job of the employee or contractor.
Responsibilities and duties still valid after termination must be included in the terms and conditions of employment of the employee/contractor.
As a termination of existing responsibility or employment combined with additional duties, changes of responsibility or employment should be managed.
Annex 7.3 of the Standard ISO 27002 addresses various activities involved in Termination or Change of Employment. At Infosavvy , we have skilled trainers who can help you improve your skillsets in information security and gain in-depth knowledge about ISO standards. We also qualify for one of the highest information security certificates IRCA CQI ISO 27001:2013 Lead Auditor(LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification), this certificate helps you to develop the expertise needed to carry out an ISMS audit, by implementing widely recognized auditing principles, practices and techniques.
Other Information- The human resource function is generally responsible for the overall termination process and works with the supervisor to manage the safety measures of the relevant procedures. This termination process is carried out by an external party in compliance with the arrangement between the organization and the external party in the event of a contractor appointed by an external party. Changes in personnel and operating arrangements may be required to inform employees, clients, and contractors.
ISO 27001 Annex : A.7.2 During Employment Its objective is to make sure that employees and contractors are conscious of and fulfill their information security responsibilities.
A.7.2.1 Management Responsibilities
Control- Management should mandate all employees and contractors to exercise information security in accordance with established policies and procedures set by the organization.
Implementation Guidance- Responsibilities for management should include ensuring employees and contractors are:
Are adequately briefed about information security role and responsibilities before given access to confidential information or information systems;
Shall provide proper guidelines stating the information security expectations from their roles in the organization.
Motivated to comply with the organization’s information security policies;
comply with the terms and conditions of employment, including the information security policy of the organization and the relevant working methods;
Seek to have relevant qualifications and expertise, and are regularly trained;
An anonymous reporting platform is provided to report breaches of information security policies or procedures (“whistleblowing”). Management should demonstrate, and serve as a role model for, information security policies, procedures, and controls.
Other Information- If employees and contractors are not made aware of their responsibility for information security, they may cause significant damage to the organization. Motivated personnel are likely to be more professional and trigger fewer accidents related to information security.
Poor management can cause staff to feel undervalued, resulting in a negative impact on the organization’sinformation security. Poor management, for example, can lead to neglecting information security or, potential misuse of the assets of an organization.
To win in the market place you must first win in the workplace
– Doug Conant
A well said verse which address the employees positive attitude towards his work and the organization. Speaking about employment in every organization will raise awareness of the roles and responsibilities of preserving and protecting the confidentiality of the organization’s assets.
Annex 7.2 of the Standard ISO 27001 addresses various activities and implications of organizational infringements. At Infosavvy , we have experienced trainers who can provide you with a better insight into the information security in the business and can help you learn about safeguards to protect your business. We qualify for one of the highest information security certificates IRCA CQI ISO 27001:2013 LeadAuditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification)
A.7.2.2 Information Security Awareness, Education and Training
Control- All company workers and, where necessary, contractors will receive adequate awareness education and training, as well as daily updates on organizational policies and procedures, as applicable to their job function.
Implementation Guidance- An information security awareness program will strive to make workers and, where appropriate, contractors aware of their information security responsibilities and the instances where those responsibilities will be discharged.
In line with the information security policies and related procedures of the organization, and, information security awareness plan should be introduced, taking into account the information to be protected of the organization and the controls to be carried out to guard the information. The awareness plan will include a range of awareness-raising events, such as promotions and booklet issuance or newsletter launches.
The awareness program should be organized in the context of the roles of the employees in the organization and, if necessary, the expected awareness of contractors. the activities in the awareness program, ideally annually, will be scheduled over time so that new workers and contractors can be identified and replicated. The awareness program should also be frequently updated so that it conforms to the organizational policies and procedures and draws on lessons learned from events in the area of information security.
Awareness training should be carried out as required by the information security awareness program of the organization. Awareness training may take advantage of multiple distribution platforms, including classroom-based, distance learning, web-based, self-paced, and others.
Information security training and curriculum will also cover key aspects such as:
– To state the commitment of management to information security across the organization;
– The need to become familiar with the relevant rules and regulations on information security, as specified in policies, guidelines, laws, regulations, contracts, and agreements;
– Personal accountability of own acts and inactions and overall responsibility for securing or protecting organizational and external information;
– Basic procedures (e.g. reporting of security incidents) and baseline controls (e.g. password security, malware controls and clear desks);
– Contact points and tools for additional knowledge and guidance on information security issues, including more information security awareness and training materials.
Information security awareness and training should take place on a regular basis. Initial education and training refers to those who transition to new positions or roles with significantly different information security criteria, not just to new beginnings, but should take place before the role is active.
In order to implement education and training efficiently, the organization must establish an education and training program. The plan will be consistent with the information security policies and procedures of the organization, taking into account the information to be protected and the safeguards that have been implemented in place to protect the information. The curriculum should consider various forms of education and preparation, e.g. seminars or self-study.
Other Information- When designing an awareness plan, it is important not only to concentrate on ‘what’ and ‘how,’ but also on ‘why.’ It is crucial for employees to understand the purpose of information security and the possible positive and negative effects on the organization from their own behavior.
Awareness, training, and awareness can be part of other training programs, such as general IT or general security training, or in collaboration with them. Awareness, education, and training programs should be necessary and suitable for the duties, responsibilities, and skills of the person.
At the conclusion of an awareness, education, and training course for testing knowledge transfer, and evaluation of employee comprehension may be carried out.
ISO 27001 Annex : A.7 Human Resource Security Its object is to make sure both employees and vendors recognize their duties and are suitable for their positions.
A.7.1.1 Screening
Control- Background verification checks on all job applicants will be performed in compliance with applicable rules, legislation, and ethics and should be proportionate to business criteria, classification of the information to be obtained, and potential risks.
Implementation Guidance- All applicable privacy, personal identity information security, and employment-based policies, should be taken into consideration and should include the following:
Availability of appropriate references to character, e.g. one business and one personal;
A verification of the applicant’s curriculum vitae (for completeness and correctness);
Verification of asserted professional and academic qualifications;
Independent biometric identification (passport or similar document);
Further thorough checking; such as credit verification or criminal record verification.
If recruiting a private individual for a designated security position, organizations should ensure the following points:-
Has the expertise needed to carry out the security role;
Whether the candidate can be trusted, especially when the organization’s role is important.
When a position requires a person with access to information processing facilities, either for initial appointment or promotion, and in especially when they handle sensitive information, such as financial information or confidential information, the organization should often require further verification.
“No matter how good or successful you are or how clever or crafty, your business and its future are in the hands of people you hire.” -Akio Morita,
Procedures should identify requirements and limitations for verification reviews, such as who is eligible for screening, and how, where, and why verification reviews are performed.
A process of screening for contractors should also be guaranteed. In these situations, the agreement between the company and thus the contractor will specify the requirements for the screening and notification protocols to be followed if the screening has not been completed or if the results give rise to doubts or concerns.
Information on all applicants eligible for positions within the company will be obtained and processed in compliance with the applicable regulations in the relevant jurisdiction. Taking into account the law in place, candidates will be notified in advance of the screening activities.
This is where Human Resources plays a crucial role in the organization, beginning with having the right selection, making them aware of their roles and responsibilities, and in addition, the role of HR comes with great responsibility and security for the organization. Training sessions at Infosavvyprovide you with an in-depth knowledge of the security measures that HR needs to take while hiring a candidate, the guidelines for this security role are covered in IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification). Infosavvy coaches help you develop your abilities and learn to recruit people who are qualified or expertise for a specific role. we flood you with many examples so to make your learning more interactive and efficient.
A.7.1.2 Terms and Conditions of Employment
Control- Contract agreements with employees and contractors would set out their responsibility for information security, and hence the responsibility of the company.
Implementation Guidance- The contractual responsibilities of employees or contractors should represent the information security policies of the company in addition to clarifying and stating the following points:-
That and employee and contractor who has access to sensitive information will sign a confidentiality or non-disclosure agreement before access to information processing facilities is granted;
Legal responsibilities and rights of the employee or contractor, e.g. copyright or data protection legislation;
Responsibilities for classifying information and handling organizational assets related to information, information processing and information services managed by the employee or contractor;
Employee or contractor’s responsibilities in the handling of information received from other companies or from outside parties;
Actions to be taken where the employee or contractor fails to comply with the security requirements of the organization.
Roles and responsibilities in information security should be communicated to job applicants during the pre-employment process.
The organization should see to it that the terms and conditions of information security are agreed by the employees and the contractor as appropriate for the nature and scope of their access to information systems and services assets of the organization.
Responsibilities under the terms and conditions of employment should, where appropriate, continue for a defined period after the termination of employment.
Infosavvy Cyber Security & IT Management Trainings 