Ensure Personnel Employment Screening and Security Clearance
Staff need job screening and security clearance for system access.
Plain language
This control is about making sure that people who need access to important or sensitive systems go through proper background checks and, if needed, have a security clearance. This is crucial because if someone not properly vetted gets access, they could misuse sensitive information, leading to data breaches, financial losses, or harm to your organisation's reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Personnel undergo appropriate employment screening and, where necessary, hold an appropriate security clearance before being granted access to systems and their resources.
Why it matters
Without employment screening and required security clearances, unsuitable staff may gain access, increasing insider threat, data breaches and loss of trust.
Operational notes
Before granting access, verify HR screening completion and required clearance level; revalidate clearances and keep a current register mapped to roles and systems.
Implementation tips
- HR should perform thorough background checks: Before hiring, the HR team should verify employment history, qualifications, and conduct reference checks to ensure candidates are trustworthy. This can be done by contacting previous employers and using professional screening services.
- Managers should identify roles needing security clearance: Managers must determine which positions involve access to sensitive systems and require a security clearance. They should list these roles and ensure candidates are informed about the need for clearance before hiring.
- Assign a security officer to handle clearances: A security officer should be responsible for coordinating the security clearance process for new hires. This involves understanding the levels of clearance required and liaising with the relevant authority to process applications.
- IT should manage access rights carefully: The IT team needs to ensure that system access is only granted once the required checks and clearances are complete. They should use an access management system to track and manage permissions.
- Conduct regular reviews: Management should periodically review current employees’ clearances and background checks to ensure they are still valid and appropriate for their roles. This can be done annually or in response to changes in job functions.
Audit / evidence tips
- AskA list of positions requiring security clearance: Request documentation that details which roles need clearance and why
- GoodRecord includes contact details of referees and dates of checks
- AskHow employees are screened before being given system access GoodIncludes a detailed, step-by-step process of checks performed
- GoodDocument includes steps, responsible individuals, and review intervals
- AskTo see logs or records showing access was only granted after clearances GoodLog shows a clear linkage between clearance approval and access granted date
Cross-framework mappings
How ISM-0434 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 6.1 | ISM-0434 requires personnel to undergo appropriate employment screening and, where necessary, hold an appropriate security clearance befo... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.15 | ISM-0434 requires employment screening and, where necessary, security clearance before personnel are granted access to systems and resources | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.