Přinášíme vám informace, které potřebujete pro lepší rozhodování a růst vašeho podnikání.

Spojte se s námi ještě dnes a objevte, jak může Scaut posílit důvěryhodnost a bezpečnost vašich pracovníků.

Naplánovat schůzku
Všechny příspěvky

Potřebujete certifikaci ISO? Bez prověrky ji nezískáte!

Na konci října 2022 byl vydán nový standard ISO týkající se ochrany informací. Uvádí konkrétní požadavky na vnitřní bezpečnost informací, kybernetickou bezpečnost a ochranu dat. Mezi základní požadavky patří ověřování uchazečů o zaměstnání. Jinými slovy, kontrola minulosti. A víte co? Bez funkčního nástroje pro kontrolu minulosti nových zaměstnanců nesplníte požadavky na jiné normy a standardy.

Publikováno dne:

November 30, 2022

What is ISO?

The International Organization for Standardization (ISO) brings together standardization bodies and authorities from different countries.

The term standardisation has a rather ugly, or rather discredited, connotation in our experience. Let us therefore be clear that we are using the word in a technical sense to refer to the standardisation or the setting of objective criteria, i.e. standards for a certain activity.

Food quality, information protection, environmental protection, occupational health and safety, but also, for example, a compliance system, protection of personal data or standardised requirements for certain types of products and protective equipment arer all areas, along with many more, for which the ISO issues standardised sets of requirements and rules to ensure quality and reliability.

How do ISO standards work?

ISO standards define generally established and recognised principles in a particular field, for example food safety or anti-corruption. They also contain specific requirements to ensure and demonstrate the application of these principles in the organisation's activities.

In practice, ISO standards can be approached in two ways:

  • Put the procedures of a specific ISO standard into practice to ensure that what is key to the organisation is done correctly and to a high standard, whether it is producing a specific product, protecting internal information or reducing the negative environmental impact of an activity.
  • An organisation may also choose not only to implement the requirements of the ISO standard, but to have them certified as being applied effectively and correctly. An independent third party will assess whether the ISO standard is actually applied in practice. If so, it will confirm this with a generally recognised certificate.

Who are ISO standards suitable for?

ISO standards can again be used in two ways: internally and externally.

What does it mean to use an ISO standard internally?

Management wants to make sure that it has its key processes under control, produces safe products, ensures the safety of employees in the workplace, has a good system in place to prevent bribery, meets the requirements of changing legislation, etc. Therefore, it will follow the examples of best practices summarised in the relevant ISO standard and implement them in its own internal processes, procedures and guidelines.

However, for many organisations it is also important to demonstrate their compliance with the ISO standard externally. Being able to demonstrate clearly and quickly to their customers, business partners, parent company, regulators and anyone else that they are serious about production quality, information protection or bribery prevention. That's what certification is for: an independent and trustworthy confirmation that an organisation actually follows the chosen ISO standard in practice.

Standard ISO 27001:2022 and background check

ISO also issues standards for information protection systems.

In October this year, a new version of the relevant standard, ISO 27001:2022, was released, containing specific requirements and measures to ensure systemic information protection, cybersecurity and data protection.

This is not a new issuance, but an update of a set of requirements issued in 2013. The requirements for security measures are organised differently in the updated standard (there are four categories instead of the previous 14), some of the requirements and controls are merged, and others are specified. The standard also introduces 11 new controls to demonstrate that an organisation is serious about protecting information.

One of the requirements that has remained virtually unchanged in ISO 27001:2022 is the requirement to verify and screen job applicants.

The ISO standard requires setting up a process for background check, i.e. verifying the professional history and credibility of all applicants before they become employees. The standard also requires periodic verification of findings during the employment relationship. All this, of course, taking into account the specific needs of the organisation, the relevant legislation affecting its activities as well as the the job and its associated risks.
In other words, without an individualized and organizationally appropriate process for verifying the trustworthiness of applicants and employees, compliance with ISO/IEC 27001:2022 cannot be achieved. Processes for protecting information will not be complete either internally or externally, nor can they be supported by certification.

Other standards and regulations

The requirement to verify job applicants can also be found in other standards. And it is often important, if not necessary, to ensure compliance with generally binding legislation.

A few examples:

  • ISO 37001:2016: this standard defines the requirements for a system to prevent corrupt behaviour. One of the key elements is the verification of new employees with respect to the subject of the standard and in relation to their previous behaviour, involvement in bribery cases, links to public officials, etc.
  • ISO 19600:2014: this standard defines the requirements for a compliance management system, which is an internal process for ensuring compliance with the legal and ethical requirements imposed on an organisation. Among the controls that support the achievement of the stated objective of compliance with legal and ethical requirements, it too includes a process for the verification of applicants for employment in the organization.
  • Cybersecurity: the Cybersecurity Act requires a number of private and public sector organisations to put in place sufficient technical and organisational measures to protect critical information systems. The forthcoming NIS2 Directive will both extend the scope of these measures (to other, supporting, information systems) and increase the number of organisations affected by these obligations by an order of magnitude. In a number of cases, in order to comply with the Cybersecurity Act, or its new wording after the NIS2 amendment, a process will also need to be established and documented for the vetting of job applicants. Are you ready for the new NIS2 cybersecurity regulation? Even when recruiting employees?
  • Data protection or GDPR is still alive: Rules for processing personal data should be set up as a process, with responsibilities, defined procedures, roles, security measures and appropriate documentation. Otherwise, the GDPR's requirement for the so-called demonstrable responsibility of the controller or processor will not be met. This in itself can be an offence punishable in particularly serious cases by a fine of up to €20 million or 4% of the worldwide turnover of the group of companies to which the offender belongs. And of course, poorly set up internal governance can lead to data loss, unauthorised disclosure, misuse, unlawful alteration, etc., with all the negative consequences for the individuals concerned and the data controller as such. Personnel measures are an integral part of the measures to protect any personal and sensitive data processed. If an organisation experiences a data loss or leak or other security incident affecting personal data, it is its responsibility to document what security measures it has put in place, what it has not put in place and why. And it may not be easy to justify a lack of trustworthiness verification for employees who have direct access to sensitive personal data, and this can negligently or intentionally lead to a major problem.
  • Sector regulation: many organisations are required by sector regulations to address the trustworthiness of their employees. For example, the civil service law for civil servants, financial regulation for employees involved in offering and servicing certain financial products (consumer credit, insurance, etc.), or regulation to protect classified information.

How to solve it?

Internal information, personal data, cybersecurity, consumer protection, market confidence, parent company requirements, sector regulation... If any of these are important to your organization, you can't avoid a background check.

Or at the very least, you should think about it thoroughly and be able to justify why you are not conducting this important check. At best, you'll justify it in an audit, a discussion with a parent company or business partner, at worst in a supervisory review or in court.

It can be expensive, inefficient and ineffective to vet job applicants on your own. It is therefore a good idea to consider, and perhaps at least try, a specialist and professional service. Especially when it is easy, verified and available literally at a few clicks. Employee verification quickly and cheaply? Yes, you can!

František Nonnemann

autor článku

A professional in the field of privacy protection, financial regulation, compliance, risk management, and information security with experience in both the private and public sectors.