Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Annex A · People Control

A.6.1 — Screening

Updated on 4 min Reviewed by: Cenedril Editorial
A.6.1 ISO 27001ISO 27002BSI ORP.2

A new developer joins the team. Within the first week they receive admin-level access to the production database, the internal wiki and the customer CRM. Three months later, a background check reveals a falsified degree and a history of data-related misconduct at the previous employer. A.6.1 exists to catch these risks before access is granted.

The control requires organizations to verify the background of all candidates — employees, contractors and temporary workers — before they start and, where appropriate, at regular intervals during employment. The depth of the check must be proportional to the sensitivity of the role and compliant with local legislation.

What does the standard require?

The core requirements can be summarized in five points:

  • Verify before granting access. Background checks should be completed before the candidate starts or, if that is not feasible, before they gain access to sensitive information.
  • Proportionality. The depth of screening depends on the classification of the information to be accessed, the associated risks and the legal framework. A receptionist needs a different level of scrutiny than a database administrator.
  • Legal compliance. All checks must comply with applicable privacy and employment legislation. In many jurisdictions, criminal-record checks require the candidate’s explicit consent.
  • Cover all personnel types. The control applies to full-time employees, part-time staff, contractors, agency workers and consultants — anyone who will access organizational assets.
  • Periodic re-screening. Where circumstances change (role upgrade, security incident, regulatory requirement), screening should be repeated.

In practice

Define a screening matrix. Map each role category to the checks required. A simple table — role, identity check, references, criminal record, credit check — gives HR a repeatable process and auditors a clear artifact.

Integrate screening into the hiring workflow. Screening should be a defined step in your recruitment process, with a clear gate: no access until the check is complete. If the start date cannot wait, document the interim restrictions (e.g. supervised access only, no production systems).

Use a standardized consent form. Before running any check, obtain written consent from the candidate. The form should state what will be checked, which third parties will be involved and how the data will be stored and deleted.

Keep records. Store screening results securely with restricted access. Define a retention period that complies with local data-protection law — typically no longer than necessary for the employment relationship plus any statutory retention period.

Typical audit evidence

Auditors typically expect the following evidence for A.6.1:

  • Screening policy — documented rules defining which checks apply to which roles (link to HR Security Policy in the Starter Kit)
  • Screening matrix — role-to-check mapping
  • Consent forms — signed candidate consent for background checks
  • Verification records — results of identity, reference and qualification checks
  • Interim-restriction documentation — evidence that access was limited when screening was pending
  • Re-screening records — proof of periodic or trigger-based re-verification

KPI

% of new hires with completed background checks before start date

Measured as a percentage: how many of your new joiners (employees, contractors, temporary staff) had all required screening steps completed before their first day of access? Target: 100%. Organizations that are just starting typically sit at 60–80% and reach full coverage within one to two audit cycles.

Supplementary KPIs:

  • % of contractors with completed screening before access provisioning
  • Average time between screening request and completion (target: under 10 business days)
  • Number of roles with outdated or missing re-screening in the current cycle

BSI IT-Grundschutz

A.6.1 maps to several BSI modules around personnel security:

  • ORP.2 (Personnel) — the core module. Requires background checks proportional to the sensitivity of the role (A7), verification of qualifications (A13) and documentation of the screening process.
  • OPS.1.1.6 (Software tests and approvals) — requires screening for personnel with access to test environments containing real data (A16).
  • OPS.2.2 (Cloud Usage) — extends screening requirements to personnel of cloud service providers with administrative access (A19).

A.6.1 forms the entry point of the people-security lifecycle:

Additional connections: A.5.4 (Management responsibilities), A.5.6 (Contact with special interest groups) for sector-specific vetting requirements, and A.6.5 (Responsibilities after termination) for the offboarding counterpart.

Sources

Frequently asked questions

What types of background checks does A.6.1 require?

The standard does not prescribe specific check types. It requires verification proportional to the role's risk level and applicable laws. Common checks include identity verification, reference checks, qualification validation, criminal records (where legally permitted) and credit checks for financial roles.

Do screening requirements apply to contractors and temporary staff?

Yes. A.6.1 covers all personnel who will have access to the organization's information assets — employees, contractors, agency workers and consultants. Screening depth should match the sensitivity of the access granted.

How often should screening be repeated?

ISO 27001 does not set a fixed interval. Organizations typically re-screen when someone moves into a higher-trust role, when a security incident prompts a review, or at a defined cycle (e.g. every three to five years) for roles with elevated access.

What if screening cannot be completed before the start date?

The standard anticipates this scenario. You should restrict the person's access to sensitive information and systems until the screening is complete, and document the interim measures taken.