ISO 27001 - 6.1 Screening

"Background verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks."[1]

ISO 27001 - 6.2 Terms and Conditions of Employment

"The employment contractual agreements shall state the personnel’s and the organization’s responsibilities for information security."[1]

ISO 27001 - 6.3 Information Security Awareness, Education and Training

"Personnel of the organization and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function."[1]

ISO 27001 - 6.4 Disciplinary Process

"A disciplinary process shall be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation."[1]

ISO 27001 - 6.5 Responsibilities After Termination or Change of Employment

"Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties."[1]

ISO 27001 - 6.6 Confidentiality or Non-disclosure Agreements

"Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties."[1]

ISO 27001 - 6.7 Remote Working

"Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises."[1]

ISO 27001 - 6.8 Information Security Event Reporting

"The organization shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner."[1]