ISO/IEC 27001 | Documents Kit

Management systems for information security

How to manage information security through human resource management according to ISO / IEC 27001:2017

You are here: Home / Business Process / How to manage information security through human resource management according to ISO / IEC 27001:2017

In developing a procedure for the management of human resources, it is necessary to provide for the selection phase of candidates, the recruitment, training, skills and disciplinary process by integrating the security controls Annex A ISO/IEC 27001

There are two operations to be performed in the information security management system, pursuant to ISO 27001: 2017, for compliance relating to security in human resource management. We develop them below by illustrating the three steps in a simple and schematic way

First of all, it is necessary to create a procedure that monitors people (human resources), their skills, their awareness of risks and information security policies, their operational-methodological skills in relation to their \ “role” in the 27001 management system. Then we move on to the integration of the security controls of Annex A of the standard within the procedure so as to ensure the integration of the security controls within the people management process.

The procedure for managing people and skills

the procedure to be drawn up must establish who is responsible for each phase of the people management process (human resources) and their skills. Obviously, the work activities carried out in compliance with the provisions of each phase must be documented in specific “records ” that certify compliance with the regulatory requirements relating to points 7.2 and 7.3 of ISO 27001: 2017.

The integration of the security controls of Annex A

With regard to information security in the field of human resource management, Annex A of ISO 27001: 2017 provides for the series of controls no. 7 Security of human resources. Below we have illustrated, in table format, the way in which the information security management system must:

  • Identify the individual security check
  • Establish how to integrate control into your human resource management process
  • Indicate the documented records that give objective evidence of the integration of control into the management system
  • Assign responsibility for the \ “concrete \” effectiveness of the control in protecting information security
CLOSE

CLOSE