Ensure Personnel Employment Screening and Security Clearance
Staff need job screening and security clearance for system access.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
May 2025
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for personnel securityPersonnel undergo appropriate employment screening and, where necessary, hold an appropriate security clearance before being granted access to systems and their resources.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about making sure that people who need access to important or sensitive systems go through proper background checks and, if needed, have a security clearance. This is crucial because if someone not properly vetted gets access, they could misuse sensitive information, leading to data breaches, financial losses, or harm to your organisation's reputation.
Why it matters
Without employment screening and required security clearances, unsuitable staff may gain access, increasing insider threat, data breaches and loss of trust.
Operational notes
Before granting access, verify HR screening completion and required clearance level; revalidate clearances and keep a current register mapped to roles and systems.
Implementation tips
- HR should perform thorough background checks: Before hiring, the HR team should verify employment history, qualifications, and conduct reference checks to ensure candidates are trustworthy. This can be done by contacting previous employers and using professional screening services.
- Managers should identify roles needing security clearance: Managers must determine which positions involve access to sensitive systems and require a security clearance. They should list these roles and ensure candidates are informed about the need for clearance before hiring.
- Assign a security officer to handle clearances: A security officer should be responsible for coordinating the security clearance process for new hires. This involves understanding the levels of clearance required and liaising with the relevant authority to process applications.
- IT should manage access rights carefully: The IT team needs to ensure that system access is only granted once the required checks and clearances are complete. They should use an access management system to track and manage permissions.
- Conduct regular reviews: Management should periodically review current employees’ clearances and background checks to ensure they are still valid and appropriate for their roles. This can be done annually or in response to changes in job functions.
Audit / evidence tips
-
Ask: a list of positions requiring security clearance: Request documentation that details which roles need clearance and why
-
Good: record includes contact details of referees and dates of checks
-
Ask: how employees are screened before being given system access
Good: includes a detailed, step-by-step process of checks performed
-
Good: document includes steps, responsible individuals, and review intervals
-
Ask: to see logs or records showing access was only granted after clearances
Good: log shows a clear linkage between clearance approval and access granted date
Cross-framework mappings
How ISM-0434 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (1) | ||
| Annex A 6.1 | ISM-0434 requires personnel to undergo appropriate employment screening and, where necessary, hold an appropriate security clearance befo... | |
| Supports (1) | ||
| Annex A 5.15 | ISM-0434 requires employment screening and, where necessary, security clearance before personnel are granted access to systems and resources | |