Screening
Background verification checks on all candidates to become personnelshall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
Terms and conditions of employment
The employment contractual agreements shall state the personnel’s and the organization’s responsibilities for information security.
Information security awareness, education and training
Personnel of the organization and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organization’s information security policy, topic-specific policies and procedures, as relevant for their job function.
Disciplinary process
A disciplinary process shall be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.
Responsibilities after termination or change of employment
Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties.
Confidentiality or non-disclosure agreements
Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified,documented, regularly reviewed and signed by personnel and other relevant interested parties.
Remote working
Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.
Information security event reporting
The organization shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.