Personnel Background Verification
Conduct background checks on all job candidates before hiring to manage risks.
🏛️ Framework
ISO/IEC 27001:2022
🧭 Control effect
Preventative
🧱 ISO 27001 domain
People controls
🔐 Classifications
N/A
🗓️ Official last update
24 Oct 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 Maturity levels
N/A
Background verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
Source: ISO/IEC 27001:2022
Plain language
This control is about doing background checks on people before they start working for your organisation and making sure they stay suitable for their job. It matters because if the wrong person has access to your sensitive information or facilities, it could lead to data breaches or other security issues.
Why it matters
Poor background checks can grant untrustworthy individuals access to sensitive data, risking breaches and damaging the organisation’s reputation.
Operational notes
Regularly review vetting processes to match evolving risks; tailor checks to role sensitivity, information classification, and applicable legal and ethical requirements.
Implementation tips
- The HR department should conduct thorough background checks on all job candidates. They can do this by verifying references, checking academic qualifications, and confirming their employment history. Be sure to inform candidates about the checks and comply with the Privacy Act 1988 in Australia.
- The IT manager should work with HR to ensure all checks are done before granting access to sensitive information. Implement processes to confirm checks are complete before new hires can access critical data systems.
- The legal team should ensure that all background check processes comply with Australian laws and regulations. They should review the procedures to ensure compliance with the Privacy Act 1988 and other relevant laws.
- Managers responsible for hiring should identify which roles require more detailed checks, such as criminal record or financial reviews, especially for positions accessing sensitive data. This can be based on the level of data access or risk associated with the role.
- To maintain ongoing compliance, set up regular intervals where employee suitability is re-evaluated. This ensures all personnel remain fit for their roles, especially if handling confidential or sensitive information.
Audit / evidence tips
-
Ask: the organisation's background check policy and procedure document
Good: a clear, documented policy that aligns with legal requirements and includes detailed checks
-
Ask: records of completed background checks for a selection of employees
-
Ask: evidence of legal compliance checks on the screening process
-
Ask: to see the process for handling situations where checks cannot be completed on time
-
Ask: documentation of periodic re-screenings, especially for critical roles
Cross-framework mappings
How Annex A 6.1 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| ISM-0613 | ISM-0613 requires that system administrators for gateways connecting to Australian Eyes Only or Releasable To networks are Australian nat... | |
| ISM-1520 | ISM-1520 requires gateway system administrators to undergo appropriate employment screening and, where necessary, hold an appropriate sec... | |
| Partially overlaps (1) | ||
| ISM-0434 | ISM-0434 requires personnel to undergo appropriate employment screening and, where necessary, hold an appropriate security clearance befo... | |
| Supports (2) | ||
| ISM-0269 | ISM-0269 requires that distribution list recipients of AEO/AGAO/Releasable To emails have confirmable nationalities before sending | |
| ISM-1773 | ISM-1773 mandates that gateway system administrators for Australian Government Access Only networks be Australian nationals or seconded f... | |