What type of background checks are required for ISO 27001?
ISO 27001 allows flexibility in terms of what type of background check or screening you perform. You may choose to use one or a combination of any of the following options:
Criminal Background Checks
Identity Verification
Work History or Employment Verification
Character Reference Checks (from previous employer and/or personal reference)
Competence Verification
Education Verification
Professional Certification Verification
Skills/Aptitude Test
Do I need to perform background checks on existing employees to meet ISO 27001 requirements?
While ISO 27001:2022 Annex A.6.1 implementation guidance recommends that all employees and contractors complete a background check, your ISO 27001 auditor will most likely only verify that new hires and new contractors have a background check completed
Do I need to perform background checks on contractors?
If you are hiring an individual contractor (not through an agency or third-party organization), it is recommended that you perform a background check on that individual.
If you are hiring a contractor from an agency or third-party organization, it is recommended that you work with that organization to determine and/or set contractual shared responsibilities in performing background checks for the contractors they are providing your organization
Which Background Check providers can we use?
When it comes to selecting a tool, we recommend the background check providers that we have integrations with (Certn, Checkr, KarmaCheck). This will help simplify the process and allow users to kick-off background checks as part of their onboarding in Drata. More guidance on managing background checks available on Background Check Management.
If you are using a Background Check provider that Drata is currently not offering integrations with, you have the ability to Manually upload proof of background check
Which background check provider is recommended if there are international employees and/or contractors?
Currently, Drata is primarily supporting Certn for integration on international background checks. For Checkr and KarmaCheck international background checks, we recommend manually uploading proof of background check
What do I do if country-specific laws prohibit me from performing background checks?
ISO 27001 takes into account laws and regulations of the specific jurisdiction where your employee resides. You can refer to the first question for a list of background check options, but the absolute minimum is an identity verification
How often do we need to perform Background Checks?
While ISO 27001:2022 Annex A.6.1 implementation guidance recommends that all employees and contractors undergo subsequent or ongoing verification check, this will ultimately depend on your business decision and risk assessment