Human Resource Security Policy
Document Summary
Item Value
Organization Information Dynamics
Document Name Human Resource Security policy
Classification Internal
Compliance Reference To: ISO/IEC 27001:2013
Document Revision History
Date Version Prepared By
1
st
November 2018 1.1 Information Dynamics
Dec29, 2019 1.2 Arya & Sureshkutty
Dec 24, 2020 1.3 Arya & Sureshkutty
Dec 24, 2021 1.4 Vani & Sureshkutty
Document Review History
Reviewed By Version Date Signature
Linda 1.1 30
th
October 2018
Linda 1.2 29
th
Dec 2019
Linda 1.3 26
th
Dec 2020
Linda 1.4 26
th
Dec 2021
Human Resource Security Policy
1. Purpose
The purpose of this policy is to provide guidance on covering employee security through
HR functions. This shall include an employee life cycle in the firm from recruitment to
termination of services.
ISO 27001:2013 Domain Reference: A.7 – Human Resource Security
ISO 27001:2013 Reference
A.7.1.1 Screening
A.7.1.2 Terms and conditions of employment
A.7.2.1 Management responsibilities
A.7.2.2 Information security awareness, education and training
A.7.2.3 Disciplinary process
A.7.3.1 Termination or change of employment responsibilities
2. Scope
The scope of the policy will be applicable to all activities under the scope statement of
Information Dynamics.
3. Policy
3.1.
Prior to Employment
3.1.1. Roles and Responsibilities
Security roles and responsibilities of all ID personnel shall be defined
and documented as per ISMS policy.
The security roles and responsibilities shall be clearly communicated
to job candidates during the pre-employment process.
3.1.2. Screening
Background verification checks shall be conducted on all new
employees’ users during recruitment or post recruitment.
For the existing employees, background verification will not be
carried out
The verification shall be done in accordance with the business
requirements and ethics.
As per the business requirements we are not doing the third party
background verification checks. We verify only the last 5 years
Internal 2 of 5
Human Resource Security Policy
professional experience and last company HR verification regarding
the relieving and employee conduct.
3.1.3. Terms and Conditions of Employment
The terms and conditions of employment shall reflect the ID security policy in
addition to clarifying and stating:
that all employees, contractors and third party users shall sign a
confidentiality or non-disclosure agreement prior to being given access to
information processing facilities;
the employee’s, contractor’s and any other user’s legal responsibilities and
rights,
responsibilities of the organization for the handling of personal
information,
actions to be taken if the employee, contractor or third party user
disregards the organization’s security requirements
3.2.
During Employment
3.2.1. Management Responsibilities
Management shall ensure that all employees, contractors and third party users
are:
Adequately informed on their information security roles and
responsibilities before they are granted access to information assets at ID;
and
Aware of the security policies, procedures and practices relevant to their
roles and responsibilities within ID and follow them.
3.2.2. Information Security Awareness, Education, and Training
The Induction training for new joinees shall include information
security awareness sessions.
Periodic ISMS awareness sessions shall be conducted for all ID
personnel depending on the roles.
Awareness sessions related to changes in ISMS documents shall be
conducted depending on the roles.
A formal feedback process shall be used to evaluate effectiveness of
information security training.
All records related to education, training, experience, qualifications
and skills shall be maintained.
3.2.3. Disciplinary Process
Internal 3 of 5
Human Resource Security Policy
A formal disciplinary process shall be defined for employees who have
committed an information security breach.
The disciplinary action shall be decided based on the severity of the security
incident.
It shall take into consideration factors like:
Nature and gravity of the security breach and its subsequent impact
on business objectives of ID;
First or repeat offence;
Adequacy of training pertaining to
a) Policies, procedures and practices defined at ID.
b) Relevant business requirements, laws and regulations.
3.3.
Termination or Change of Employment
3.3.1. Termination Responsibilities
The Human Resource department at ID shall be responsible for:
The overall termination process and shall coordinate with the
reporting manager of the employee leaving to manage the security
aspects of the relevant procedures.
Informing users that specific aspects of responsibilities as mentioned
in the NDA/terms and conditions of employment may continue for a
defined period after the end of the employee’s, contractor’s or third
party user’s employment with ID
Communicating to the concerned reporting managers to review
access privileges on application systems in cases where there is a
change in employees, third party’s employment profile.
3.3.2. Return of Assets
All ID personnels shall be required to return all of the organization’s assets
in their possession upon termination or change of their employment.
The termination procedure shall include but not be limited to:
To return all previously issued software, documents, and equipment
by ID.
Other organizational assets such as mobile computing devices, credit
cards, access cards, and information stored on electronic media shall
also be returned.
3.3.3. Removal of Access Rights
The access rights of all ID resigned / transferred personnel to information
and information processing facilities shall be removed.
Internal 4 of 5
Human Resource Security Policy
Following practices shall be followed to:
Revoke the access rights (logical and physical).
Remove all access rights that are not required in the new job profile
resulting from a change of an employment.
Immediately change common passwords for active accounts known
to the departing employee.
4. Associated Documentation
End user Guidelines and Code of Conduct
Acceptable use of Assets policy
Non Disclosure Agreements between employee and the firm.
Internal 5 of 5