Screening (ISO 27001 Annex A 6.1)

Security is only as strong as its weakest link. And when it comes to data security, the area most prone to vulnerability is the human factor. Sometimes due to incompetence, sometimes due to bad intentions. Every employee, vendor and contractor you pass data to is a vulnerable point in your security. For this reason, it is crucial to perform background checks that screen these individuals for possible problems that should be avoided. This is an important control in the ISO 27001 framework (Annex A 6.1)

It is your responsibility to determine and document appropriate screening procedures for your organization and they should reflect the risk and classification of the vendor being screened.

Companies generally do not have problems screening employees or discovering an issue soon after beginning employment. Contractors however, can easily be overlooked. Sometimes the background check is rushed or skipped completely due to an urgent need for their service. Since they do not report to your company as employees do, bad practices performed by a contractor can go unnoticed for a long time. 

Therefore, it is good practice to have screening be a required part of your vendor onboarding process. For cases where the completion of screening absolutely must wait until work has begun, you should have that recorded in a risk register to ensure the matter is ultimately resolved or at least monitored.

With AxoTrax, you can make sure you are buttoned up. As part of the default onboarding processes, HR must confirm the vendor has undergone background checks and passed your data privacy course. HR can upload any relevant documentation files at the stage for ease of audit later on. Everything is customizable, so you can make it optional to defer the completion of screening if needed and you can keep an eye on such vendors for risk management.