In business, they often say that the greatest investment you can make, is in your people.  But are they the right people? ISO27001 expects you to carry out screening of personnel who will be joining your business so you can have some confidence that they are.

To be clear, in this context of ISO27001, the screening process is about evaluating personnel to see if they are a good fit for the role they’re performing (or going to perform) and your business.

What does the standard require?

The standard states that “Background verification checks on all candidates to become personnel shall be carried out prior to joining the organisation and on an ongoing basis taking into consideration applicable laws, regulations and this and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.” (A6.1 – Screening).

There are a few points to highlight here.

Before they join

First note that we’re talking about performing background verification checks on all candidates prior to joining your business.

Background checks can include;

• Right to work in your country

• Disclosure and Barring Service (DBS) checks for criminal records, which will show unspent convictions and other details depending on the level of check

• Professional references and certifications for professions such as law, medical and teaching

• Personal references which are more traditional requests for comment from previous employers

• Credit checks for those people working in finance roles, e.g. Finance directors or accounts

• Media, including Social Media, to discover if there are any negative aspects that surface online or in the press

Dependent upon your industry, some or all of the above will be relevant. But you may also have additional background checks that you need to carry out.

If you’re wondering if it’s ok to include social media background checks in this list, then the answer is yes you should (see the Q&A below).

Now they are in the team

One aspect of this ISO27001 control which many people miss, is that background checks should be carried out on an ongoing basis.  This can be onerous, so keep in mind that all checks should be proportionate to the business requirements, the classification of the information to be accessed and the perceived risks.  Therefore you may decide that these kinds of checks don’t need to be conducted on everyone, but you might carry out checks on those in key roles (such as financial controllers or directors).

For professions where professional qualifications must be maintained, such as the legal sector, then annual review of professional qualifications is a must and is more than acceptable.

Again, the topic of social media and reviewing online activities of your team may feel invasive, but its standard practice for most organisations – We cover this below in the Q&A section.

Why is this required?

Hiring people is expensive, and you want to make sure you’re hiring the right person for the role. But you need to make sure the claims they’re making on their CV are accurate.  Unfortunately people aren’t always honest, and they may tell you a few ‘white lies’, or all-out-whoppers on their CV. What you need to check is that the person is suitable for the role you’re hiring for, and find out before they start. 

At the basic, foundational level you need to know that the person you’re hiring is eligible to work in your country, as that is a legal requirement. For example, you can’t hire underage people, and this is especially relevant for the hospitality industry where they might be handling alcohol. 

Hiring the wrong kind of people because you didn’t perform background checks can land you in court, and see your business closed down. The worse case scenario, it could see you in prison!

We have come across far too many cases where a client has hired someone, who then went on to become a ‘bad actor’ and insider threat. Yet some basic background checks on their references would have raised a few red flags that would have prevented the client hiring them, or would have raised additional questions.

Examples of employees (including directors and shareholders) ‘going rogue’ are too numerous to list here, but to illustrate the point, we would ask you a simple question; Would you open your house up to a complete stranger, and leave them to live there without first checking their background first? We hope the answer to this is no, and if that’s the case, then why would you do the same with your business?

What the auditor is looking for

The auditor isn’t specifically looking for a documented process, but if you have a checklist of background checks that will be performed then this is great evidence.

In the absence of any documented process, you should be able to present the following to the auditor;

• Policies which outline the kind of screening and background checks conducted.

• Contracts of employment.

• Contractor agreements.

• References sent, received and actioned.

• Evidence that screening takes place. This could include evidence of DBS or credit checks. It could also include copies of ID and visas for eligibility of working in the country.

• Copies of qualifications and certificates.

• HR systems and files which include details of background, competency and qualifications

• 1-2-1 meetings

• Evidence of periodic reviews of background checks

What do you need to do?

Speak to your HR function and ask them about what background checks are carried out.  Hopefully they do perform some form of checks. Is there a checklist that they follow? If not, then help them create one.

Gather evidence of the background checks being done and identify any gaps in the process. For example, are requests for references followed up? If not, then why not?  Keep in mind that this needs to be proportionate, so think about the organisation and the different levels of checks that you should put in place.

With the help of your HR function or specialist, develop a policy which outlines what background checks are carried out and ensure all staff are aware. This is important so that they know that social media may be used for periodic reviews and ongoing checks, and for those sectors that need it, up to date certificates and evidence of qualifications will be required.  This isn’t a policy you need to write alone, so make sure you engage with your HR specialist or function.

Q & A

Should we include social media for background checks?

Yes.  The official term for this is ‘OSINT’ – Open Source Intelligence.  This is a fancy term which means searching on social media platforms for people and reviewing their social media profiles.  This may feel invasive, and a breach of privacy and we are not saying that you should ask for their login details(!) But you can search on Facebook, TickTok, Instagram, LinkedIn etc to see their public facing profiles.

Remember that we are all in control of our own social media posts, and we curate our own feed and online profile. What we choose to share with the world is there fore the world to see, including employers, potential investors, clients and future clients.

Imagine you are hiring a team member, but discover that on social media they are running a “side-hustle” of being an ‘influencer’ on social media for a product or brand that is in competition or at odds with your values.  Or perhaps they are promoting groups or ideologies online which also go against your core values and ideals.  What would a client think if they saw your Sales Director promoting products, services or ideals which could be detrimental to your brand?

The idea that looking on social media for background checks is somehow ‘invasive’ doesn’t make sense.  Afterall, if you were dating someone, wouldn’t you ‘Google them’? Don’t you perform your own form of background checks on potential life partners? Why would it be any different for your professional partners?

Having said all of the above, I will add a word of caution here. You need to be very clear about the fact that you are performing such checks, and you should work with HR professionals to ensure you have policies in place surrounding this topic.  It’s not always as clear cut as it may first appear. We all have the right to the freedom of speech, but there is a line between acting professionally and doing something which could reasonably be described ‘unprofessional’. Just make sure you have clarity around this before you get started – speak to your HR professional.

What happens if someone fails background checks?

This really depends on what you want to do. But remembering this is about being proportionate and risk, so don’t think it means that you can’t hire that person or you have to let them go.

You might decide to delay their onboarding or hiring until you can gain a better understanding of why you’ve received negative references or they failed their background checks.  You may decide to continue to hire them, but reduce their access to systems or certain activities until further checks have been completed. This may also be true of those who are currently in roles, where you put them on reduced duties, or perhaps put them into a different role. 

In the worst case of course, where you discover they have falsified information, then you may decide to end their employment.

Again, seek advice from your HR specialist about all of this so that you handle the situation correctly.

Why do I need to do these periodically?

You need to verify the continued suitability of the person who is now working in your organisation.  At the most basic level, this might be checking that their professional qualifications are maintained so that they can continue to carry out there role. Those in the teaching, medical and legal professions need to maintain their professional qualifications in order to do their jobs, so it’s your responsibility to ensure this happens.

For those in trusted positions, such as directors or financial controllers, you want to ensure nothing has come up in their personal lives which may lead them become less than desirable members of your team.  Again, this needs careful consideration and we would always recommend working with your HR specialist to advise on how best to go about this.

Difficulty rating

We rate this a 1 out of 5 difficulty rating. This isn’t a difficult control to implement, because you need to speak to your HR specialist or function to evidence this control is in place. It’s not your job to write the process or policy, but you do need to evidence there is a process in place.  If you are a very small business this may be completely new to you, and therefore the difficulty may increase a little. But remember to keep it simple, and start with the basics and then outline what kind of checks you feel are appropriate for your business.

More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.

For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.