HR & Organisation
ISO specific HR/Organization requirements include:
- Chapter 5: Top Management Responsibilities
- Demonstrate leadership and commitment
- Establish the Security Policy
- Establish and communicate responsibilities and authorities for ISMS roles
- Chapter 7: Resources- Determine and provide the resources needed for the ISMS implementation, maintenance & continuous improvement
- Focus on the Competencies needed to perform the job
- All ISMS team members should acknowledge their responsibilities as well as their contribution towards an effective ISMS
- Determine What, When, and How to communicate both internally and externally, the ISMS priorities
- Determine and maintain what needs to be documented (in compliance with this standard)
After using the ‘Mandatory ISO27001 Topics document’ for the Organization & Context in step 1 it is time to review the file. Changing or improving the document will add value to the procedure.
While C-level tasks are embedded in all steps, HR requires your increased attention. The checklist below will support you with chapters 5 and 7 and provide evidence for external audit related questions.
NB It is important not to skip this step as it will be used in the (future) Real Time Audit feature.
- Section Leadership & Management – @people
- Add C-level roles in Job titles
- Checkbox ISMS team member – for all ISMS Team Members
- If applicable, add ISMS Roles for each member :eg., Security Officer, Privacy Officer / Compliance Officer. The internal auditor role can be either carried out by one of your team members or externally outsourced. Additional ISMS Team members can be added in the future.
- Make sure that all ISMS Team members have ‘Enabled the Reminder Notification’ in this section and added their business email address in the tab “Contact”. Reminders will be sent for Improvements, Controls, and Calls to Actions.
- Update this section regularly (check your security meeting & call to action notes)
- Check if there is personal data stored in this section (e.g. contact details or contracts added). Ensure that only authorized personnel has access to this section.
- Section Policies & Procedure :
- The Security Policy should be managed, reviewed and approved by one of the representatives of the Management Team
Add new or review your policies & procedures: The following Policies & Procedures are related to HR/Organization and templates are provided: - Adopt the ISMS Communication Policy
- Adopt the Onboarding & Offboarding Procedure.
Or
Use these templates to create your own Template checklist – See wiki Checklist - Adopt a staff attendance Policy (if needed)
- Workspace & Equipment Policy
- The Security Policy should be managed, reviewed and approved by one of the representatives of the Management Team
- Section Measures & Controls – Security Controls :
Review your controls or add new ones. The following Controls are related to chapters 5 and 7:- Review the ISMS Resources (Yearly)
topics to address: ISMS Competences, ISMS Roles & Responsibilities, Effectiveness, Business Continuity Plan - Review and assess your ISMS Team (resources and competencies)
topics: Assess the performance of the ISMS team members based on the competencies documented in the ISMS Role Description. All identified findings can result in the creation of new improvements. . - Follow the yearly ISMS Ops Planning
Refer to the ISMS Ops Planning template in Policies &Procedure/ Templates.
Ensure all activities have assigned owners and deadlines - Perform a yearly Security Awareness Training
- Review the ISMS Resources (Yearly)
- Section Leadership & Management – HR & Organization
- Refer to the template sub-section and add the ‘1. ISO27001 mandatory Topics Documentation’ to this section
- Create your own organogram and add it to this section
- Document all current job profiles, including a description of the role, to this section. Refer to the ISMS role description templates in Policies & Procedures/Template section
- Document any relevant files that might contribute to building up strong compliance evidence
- Refer to the template sub-section and add the ‘1. ISO27001 mandatory Topics Documentation’ to this section
Other things to check:
- Is Strategy & Ambition (Organisation & Context and ISMS Objectives) approved by a representative of the Management Team?
- Are members of the Management Team involved in the Information Security Risk Assessment (ISRA) ?
- Is Business Continuity Plan (BCP) approved by a representative of the Management Team?
- The High-Risk Supplier Assessments must be approved by the owner or by a representative of the Management Team?
- Do members of the Management Team participate in Security Meetings? How is Compliance Progress is communicated with Management?
- The results of Internal Audits must be communicated to and approved by Management
- The Management Review must be communicated to and approved by Management
- The Scope and Statement of Applicability must be done in collaboration with and approved by Management
| Field | Value/ Description | Example |
| Document name | Free text field | Organograms, On-boarding checklist, Roles and Competences |
| Owner | Select owner from a drop-down menu function. | Team member name |
| Description | Free text field | Additional information about the document |
| Document – Versions Number | Upload the document +Add new version | The documents uploaded in this section are numbered according to the date and time when they were added. The last added document will count as the latest version of the document. |
| Annual reviews and Approvals | Date +Add new review | Select the date when the document was reviewed and approved. The team members name will also be recorded along with the date and time. |
