Personnel Background Verification
Conduct background checks on all job candidates before hiring to manage risks.
Plain language
This control is about doing background checks on people before they start working for your organisation and making sure they stay suitable for their job. It matters because if the wrong person has access to your sensitive information or facilities, it could lead to data breaches or other security issues.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
People controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Background verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
Why it matters
Poor background checks can grant untrustworthy individuals access to sensitive data, risking breaches and damaging the organisation’s reputation.
Operational notes
Regularly review vetting processes to match evolving risks; tailor checks to role sensitivity, information classification, and applicable legal and ethical requirements.
Implementation tips
- The HR department should conduct thorough background checks on all job candidates. They can do this by verifying references, checking academic qualifications, and confirming their employment history. Be sure to inform candidates about the checks and comply with the Privacy Act 1988 in Australia.
- The IT manager should work with HR to ensure all checks are done before granting access to sensitive information. Implement processes to confirm checks are complete before new hires can access critical data systems.
- The legal team should ensure that all background check processes comply with Australian laws and regulations. They should review the procedures to ensure compliance with the Privacy Act 1988 and other relevant laws.
- Managers responsible for hiring should identify which roles require more detailed checks, such as criminal record or financial reviews, especially for positions accessing sensitive data. This can be based on the level of data access or risk associated with the role.
- To maintain ongoing compliance, set up regular intervals where employee suitability is re-evaluated. This ensures all personnel remain fit for their roles, especially if handling confidential or sensitive information.
Audit / evidence tips
-
Askthe organisation's background check policy and procedure document
Gooda clear, documented policy that aligns with legal requirements and includes detailed checks
-
Askrecords of completed background checks for a selection of employees
-
Askevidence of legal compliance checks on the screening process
-
Askto see the process for handling situations where checks cannot be completed on time
-
Askdocumentation of periodic re-screenings, especially for critical roles
Cross-framework mappings
How Annex A 6.1 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-0613 | ISM-0613 requires that system administrators for gateways connecting to Australian Eyes Only or Releasable To networks are Australian nat... | |
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-0434 | Annex A 6.1 requires organisations to conduct background verification checks for all personnel before commencement and on an ongoing basi... | |
| handshake Supports (2) expand_less | ||
| ISM-0269 | ISM-0269 requires that distribution list recipients of AEO/AGAO/Releasable To emails have confirmable nationalities before sending | |
| ISM-1773 | ISM-1773 mandates that gateway system administrators for Australian Government Access Only networks be Australian nationals or seconded f... | |
| link Related (1) expand_less | ||
| ISM-1520 | Annex A 6.1 requires organisations to perform background verification for all candidates and personnel, including ongoing checks, aligned... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.