December 4, 2014

Last Updated on December 4, 2014

A client recently asked me about the need to perform background checks on employees as part of their ISO 27001 compliance efforts. Being a smaller company, they had never performed formal background checks on their current employees. They felt that doing so now would be both costly and injurious to their company culture.
My response was that background checks are not absolutely required for ISO 27001 compliance. This advice might seem surprising given that many sources attribute more data theft and security incidents to “insiders” than to outside agents. For example, Carnegie-Mellon University’s recent report entitled 2013 US State of Cybercrime Survey: How Bad is the Insider Threat found that:

  • 53% of respondents found “damage caused by insider attacks more damaging than outsider attacks.”
  • 23% of “electronic crime events” were known or suspected to have been caused by insiders.

Background checks on employees, contractors and consultants working for or on behalf of your organization are generally recommended as part of good information security practice, commensurate with the level of trust and responsibility associated with a person’s position. But the decision not to check your employee’s backgrounds can be justified in either of two ways, and both are based on risk management.
First, and perhaps easiest to justify, employees can be “grandfathered” into a compliant organization with no background checks required. For example, it could reasonably be deemed unlikely that an employee who has already been with the company for more than seven years and has had access to sensitive information for much of that time would decide to engage in some untoward activity. As a part of its risk analysis, an organization could legitimately calculate and accept this comparatively low level of risk based on its years of first-hand knowledge of the character(s) of the individual(s) in question.
Likewise, a company can choose to implement background checks on only those employees that are new to the organization (perhaps those that have less than three years, if that makes sense to management), and/or on those who have the most exposure to protected data (database administrators, for example).
Second, and probably more difficult to justify, not all controls in the ISO 27001 standard must be selected in order for an organization to achieve compliance. Part of the process of establishing an ISO 27001 compliant Information Security Management System is the documented selection of controls referred to as the Statement of Applicability. If an organization is small or there are compensating controls, background checks can be left out.
The only caveat to the above is that other standards or regulations may require background checks regardless of ISO certification, time with the company, or any other consideration. Organizations need to consider this factor as well.
If you want to talk over the issue of background checks and whether they are important to your organization’s security posture, contact Pivot Point Security.