An insider with fabricated credentials gets hired into a role with privileged access. They pass the interview, clear a cursory reference check, and start Monday. Within weeks, they exfiltrate customer records using the legitimate access your organization granted them. The damage — data loss, regulatory fines, reputational fallout — was entirely preventable. ISO 27001 control 6.1 exists to catch this before onboarding, not after the incident report.
ISO 27001 control 6.1 requires organizations to verify the backgrounds of all candidates before granting access to information or systems. That means employees, contractors, temporary staff, and any third-party personnel who will operate within the scope of your information security management system.
The critical word in 6.1 is “proportionate.” Not every role needs the same depth of screening. A marketing intern and a database administrator with root access to production systems carry fundamentally different risk profiles, and the standard expects your screening to reflect that difference. The implementation guidance in ISO 27002:2022 reinforces this — you define what “proportionate” means for your organization through a risk-based screening matrix that maps check types to role sensitivity levels.
What trips up most organizations is treating screening as a one-time gate. The standard is explicit: verification checks should happen before employment begins and continue on an ongoing basis. When someone moves from a standard role into one with elevated privileges — say, a developer promoted to infrastructure lead — that transition should trigger re-screening. The risk profile changed, so the verification should too.
All screening must comply with applicable employment law, privacy regulations, and ethical standards in your jurisdiction. You cannot run criminal background checks in countries where legislation prohibits it for the role type, and you must obtain informed consent before initiating any verification. The control doesn’t override local law — it operates within it.
From a continuous monitoring perspective, 6.1 reflects a principle that extends beyond technical controls to people. You wouldn’t deploy a firewall and never update its rules. The same logic applies to personnel trust.
Why 6.1 Matters
Picture this scenario: a mid-size technology company hires a contractor through a staffing agency to help with a cloud migration project. The agency confirms the contractor’s availability and rate but doesn’t verify employment history or technical qualifications — and the hiring company assumes that’s the agency’s job. The contractor receives administrative access to production cloud infrastructure on day one. Three months later, a forensic investigation reveals that the contractor systematically exfiltrated customer data using those legitimate credentials. There was no intrusion detection alert because there was no intrusion. The access was authorized.
Insider threats are uniquely dangerous because they bypass the perimeter controls organizations spend millions on. Firewalls, intrusion detection systems, and endpoint protection are designed to stop unauthorized access. They do nothing against someone using the credentials you gave them. The risk class here is personnel trust, and for roles with privileged or broad system access, the severity is high.
The financial impact extends well beyond the breach itself. Ponemon Institute found that the average annual cost of insider threat incidents reached $15.4 million per organization — a figure that encompasses detection, investigation, containment, and remediation costs that proper pre-employment screening could substantially reduce.
The compliance dimension adds another layer. An ISO 27001 certification auditor who finds that your organization granted system access before completing background checks won’t treat it as a minor observation. It’s a nonconformity — one that calls into question whether your ISMS operates as documented. And unlike a missing patch or an outdated policy document, a screening failure implies a systemic gap in how your organization manages personnel trust.
What Attackers Exploit
The failure modes 6.1 is designed to prevent follow consistent patterns documented by the CERT Insider Threat Center and other threat intelligence organizations:
- Fabricated credentials or inflated qualifications to obtain roles with sensitive access. A candidate claims a security clearance or certification they never held, and no one verifies it.
- Gaps in contractor and temporary staff screening. Organizations assume the staffing agency handles it. The agency assumes the client handles it. Nobody handles it.
- No re-screening after internal role changes. An employee screened for a junior analyst position is promoted to a role with administrative access to financial systems. The original screening — if it was adequate for the first role — is inadequate for the second.
- Absent screening for third-party vendor personnel who receive system access through service agreements. The vendor’s employees access your data, but your screening requirements don’t extend to them.
- Incomplete checks accepted under time pressure. The project needs someone to start Monday, so the hiring manager approves provisional access. The provisional access becomes permanent. The checks never happen.
How to Implement 6.1
Implementation splits into two tracks: what you control directly within your organization and what you need to verify across your vendor ecosystem. A complete ISO 27001 implementation requires coordination between HR, IT, procurement, and security teams — screening can’t live in a single department’s silo.
For Your Organization
1. Define a screening policy with a risk-based matrix. Start by categorizing roles into risk tiers — standard, elevated, and critical — based on the sensitivity of data and systems each role can access. Map specific check types to each tier. A standard role might require identity verification and employment history. A critical role with access to production databases or financial systems adds criminal record checks (where lawful), qualification validation, and financial background checks.
2. Establish minimum checks across all roles. Every person entering your ISMS scope should undergo identity verification, employment history validation for the previous five years, qualification verification for any credentials the role requires, and at least one professional reference check.
3. Add enhanced checks for high-risk roles. Criminal record checks where legislation permits, credit and financial background checks for roles with fiduciary responsibility, and security clearance verification where applicable. Document why each check type applies to each tier — auditors will ask.
4. Integrate screening into onboarding workflow. No system access before checks complete. This means your HR workflow and IT provisioning processes need a formal handoff gate. If the screening report isn’t marked complete, the access request doesn’t get approved.
5. Implement re-screening triggers. Define the events that trigger additional verification: promotion to a higher-privilege role, transfer to a different business unit with different data sensitivity, and periodic review cycles for anyone in a critical role (annually is common practice).
6. Store screening records securely. Screening reports contain sensitive personal information. Apply access controls that restrict visibility to authorized HR personnel, retain records per your jurisdiction’s data protection requirements, and document your retention schedule. In practice, this means a dedicated secure repository — not a shared HR drive — with audit logging on access events.
7. Obtain informed consent. Before initiating any check, candidates must understand what you’re verifying, why, and how the data will be stored and used. This isn’t just ethical practice — it’s a legal requirement in most jurisdictions.
Common mistakes to avoid:
- Screening only permanent employees while ignoring contractors and temporary staff
- Completing checks after granting system access (“we’ll catch up later” — you won’t)
- Applying identical check depth to all roles regardless of risk
- Treating screening as a one-time onboarding gate with no re-screening process
- Failing to document screening decisions, including cases where adverse findings were reviewed and a hiring decision was still made
For Your Vendors
When your vendors’ employees access your systems or data, their screening practices become your risk. Understanding ISO 27001’s third-party risk requirements is essential here. Third-party assessment for 6.1 requires specific questionnaire questions and evidence requests.
Questionnaire questions to include:
- “Describe your personnel screening policy. Does it differentiate by role risk level?”
- “Do you screen contractors and temporary staff, or rely on staffing agencies to do so?”
- “What specific checks are performed for personnel with access to client data or systems?”
- “How do you handle situations where screening results are incomplete or adverse?”
- “Is screening completed before personnel are granted access to client environments?”
Evidence to request:
- Personnel screening policy document
- Sample screening matrix showing check types per role tier (redacted for personal data)
- Confirmation that checks are completed before access is provisioned
Red flags that should escalate your assessment:
- “We rely on the staffing agency” without evidence of verifying agency screening standards
- No documented screening policy
- A screening policy that applies the same checks to all roles regardless of risk level
- Inability to provide evidence that screening is completed before access is granted
- Resistance to sharing policy documents, even in redacted form
Verification beyond self-attestation: A structured vendor risk assessment goes beyond self-attestation. Request the vendor’s SOC 2 Type II report and check whether HR controls covering personnel screening are in scope. Alternatively, request their ISO 27001 certificate and Statement of Applicability to confirm that control 6.1 is included and not marked as not applicable. A vendor risk assessment questionnaire template can standardize this process across your vendor portfolio.
Audit Evidence for 6.1
When an auditor assesses your implementation of 6.1, they’re looking for specific artifacts that prove your screening process operates as documented — not just that a policy exists, but that it’s followed consistently. Preparing for an ISO 27001 audit means having evidence ready before the assessor arrives. Auditors want to trace a line from policy to evidence for specific individuals.
| Evidence Type | Example Artifact |
|---|---|
| Screening Policy | Personnel Screening Policy defining check types per role risk level, legal basis for each check, and consent requirements |
| Screening Matrix | Risk-based matrix mapping role categories (standard, elevated, critical) to required verification checks |
| Pre-employment Records | Completed screening reports (redacted) showing checks were finished before the candidate’s start date |
| Consent Forms | Signed candidate consent forms authorizing background verification checks |
| Contractor Agreements | Contract clauses requiring equivalent screening standards for third-party personnel accessing your systems |
| Re-screening Schedule | Documented triggers and cadence for ongoing screening of personnel in high-risk roles |
| Escalation Procedure | Process for handling adverse screening results, including who has decision authority |
| Audit Trail | Log of screening completions, exceptions granted, and approval decisions with timestamps |
Auditors will sample recent hires and contractors to verify that screening was completed before access was provisioned. They’ll also check that your screening depth aligns with your documented risk matrix — if your policy says critical roles get criminal record checks, they’ll verify that actually happened.
Cross-Framework Mapping
If your organization operates under multiple compliance frameworks, you’re likely implementing overlapping controls. Understanding where 6.1 maps to equivalent requirements in other frameworks helps you avoid duplicating effort and strengthens your overall compliance posture.
| Framework | Equivalent Control(s) | Coverage |
|---|---|---|
| NIST 800-53 | PS-03 (Personnel Screening) | Full |
| NIST 800-53 | SA-21 (Developer Screening) | Partial |
| SOC 2 | CC1.4 (Board and Management Oversight — competence and integrity) | Partial |
| CIS Controls v8.1 | 6.1 (Establish an Access Granting Process — personnel aspect) | Partial |
| NIST CSF 2.0 | GV.RR-02 (Roles, responsibilities, and authorities) | Partial |
| DORA (EU) | Article 5 (ICT risk management — governance including personnel) | Partial |
NIST SP 800-53 Rev. 5 PS-03 is the closest equivalent, covering the same scope of pre-employment screening, ongoing verification, and risk-proportionate checks. SA-21 extends screening specifically to developers working on organizational systems, which partially overlaps with 6.1’s broader personnel scope. The remaining frameworks address personnel trust through governance and access controls rather than dedicated screening requirements, which is why their coverage is partial.
For organizations pursuing multiple certifications, mapping 6.1 evidence to PS-03 requirements can significantly reduce the documentation burden. A single screening matrix and policy set, structured to address both standards, satisfies two compliance obligations with one implementation effort.
Related ISO 27001 Controls
Control 6.1 doesn’t operate in isolation. It initiates the personnel security lifecycle that several adjacent controls depend on and extend.
| Control ID | Control Name | Relationship |
|---|---|---|
| 6.2 | Terms and conditions of employment | Employment contracts should reference screening requirements and document the security obligations screening validates |
| 6.3 | Information security awareness, education and training | Training complements screening — screening validates who someone is, training validates what they know |
| 6.4 | Disciplinary process | Defines consequences when screening gaps or deliberate deceptions are discovered post-hire |
| 6.5 | Responsibilities after termination or change of employment | Offboarding connects to the full personnel lifecycle that screening initiates |
| 6.6 | Confidentiality or non-disclosure agreements | NDAs are typically signed alongside screening consent during the onboarding process |
| 5.3 | Segregation of duties | Role separation reduces the blast radius if screening misses a risk |
| 5.15 | Access control | Access decisions should factor in screening completion status — no access before screening clears |
| 5.20 | Addressing information security within supplier agreements | Extends screening requirements to third-party personnel through contractual obligations |
The strongest dependency is between 6.1 and 5.15 (access control). If your access provisioning process doesn’t check screening status, you’ve built a gate that’s always open. Similarly, the link to 5.20 (supplier agreements) is critical for organizations with large vendor ecosystems — contractual screening requirements are only effective if you verify compliance, not just include the clause.
Frequently Asked Questions
What is ISO 27001 6.1?
ISO 27001 control 6.1 requires organizations to conduct background verification checks on all candidates before employment and on an ongoing basis, proportional to business risk and applicable laws. It covers employees, contractors, and third-party personnel who access information or systems within the ISMS scope.
What happens if 6.1 is not implemented?
Without personnel screening, organizations risk granting system access to individuals with fabricated credentials, undisclosed conflicts of interest, or histories that make them unsuitable for sensitive roles. This increases exposure to insider threats, data breaches, and regulatory penalties — and will result in a nonconformity finding during an ISO 27001 certification audit.
How do you audit 6.1?
Auditors review your screening policy, verify that checks were completed before access was granted for a sample of recent hires and contractors, and confirm that screening depth aligns with a documented risk-based matrix. They also check for evidence of ongoing re-screening for high-risk roles and that screening records are stored securely.
How UpGuard Helps
Personnel screening extends beyond your own organization when vendors and third parties access your systems. UpGuard’s platform helps you assess whether your vendors meet personnel screening requirements through automated security questionnaires that cover control 6.1 specifically, continuous monitoring of vendor security postures, and structured evidence collection that maps to audit requirements.
See how UpGuard can strengthen your vendor screening assessments →