What to consider in security terms and conditions for employees according to ISO 27001
A good way to ensure that people are aware of their roles and responsibilities in an organisation is by defining policies and procedures to be followed. But this solution has a limitation: they only cover the people who are already working for the organisation and have access to information. What do you do when you need to introduce new employees or contractors in the environment?
Once the proper candidates have been selected by the organisation it is important to ensure the information will be properly protected even at the early stages of employment. How can you achieve this when a candidate has not yet had access to the organisation’s policies and procedures?
How to make security terms and conditions, and make them important
Broadly speaking, terms and conditions of work are the general rules by which employer and employee or contractor’s personnel working on organisation’s behalf, agree upon for a job or activity. Normally they are presented during the pre-employment process in documents such as Terms and conditions of employment, Employment agreement, etc.
These documents normally cover a broad list of items such as working time (e.g., hours of work, rest periods, and work schedules), remuneration, and workplace conditions.
However, with the increasing concern over the potential impact of loss or unauthorised disclosure, or alteration of information, organizations must start including information protection items in such agreements.
Since in many situations terms and conditions of employment are legal requirements for the establishment of a work relationship, by including security terms and conditions related to confidentiality, data protection, ethics, appropriate use of the organisation’s equipment and facilities, and use of best practices, an organization can enhance its protection or support in case of legal actions involving information security incidents.
Contractual agreements of work according to ISO 27001
As a management standard, ISO 27001 does not prescribe what to include in security terms and conditions of employment, only which objectives must be achieved, through control A.7.1.2 (Terms and conditions of employment): to formally state to employees, contractors and to the organisation itself their responsibilities for information security.
To fulfil this objective, organisations have three alternatives:
a) Include the full content of all information security policies in the agreement. While this option provides the ideal coverage for presenting the expected behavior towards information security in an early employment stage, it can make the document confusing, unreadable and ineffective in practice.
b) Include summarised versions of all information security policies (e.g. by adopting a corporate code of conduct) in the agreement.
Short documents are more readable, but if they are summarised too much, important elements may be left out of the picture until the person has contact with the full policies, providing a false sensation of security to all parties.
c) Include a part of full content and part of summarised versions of the most relevant information security policies in the agreement.
This approach would represent the most cost-effective relation regarding preserving security and practical use, and can be achieved by summarizing only policies that score as lower risks according to the results of a risk assessment while keeping the full content of policies that cover high-risk areas.
Aspects of information security policies
When working on summarised versions for alternatives “b” or “c”, it is useful to view the recommendations of ISO 27002, a supporting standard for the implementation of ISO 27001 in Annex A controls. ISO 27002 recommends that at least these aspects should be included:
conditions to grant access to sensitive information (e.g. by signing of confidentiality or non-disclosure agreements), and that these conditions must be fulfilled before new personnel can access information or information facilities;
rights and responsibilities of all involved parties regarding legal requirements, such as requirements for protection of copyrighted or private information under EU GDPR;
responsibilities regarding the classification and handling of information and information related assets, either owned by the organisation or received from third parties;
actions to be taken if security requirements are violated by the involved parties (e.g., application of disciplinary process, notification of law enforcement authorities, judicial appeal, etc.).
It is important to note that these security terms and conditions should be continued (where it is justifiable), for a defined period after the end of the work relationship (e.g. information related to a new product should be protected until the release on market of this product, regardless at which phase of the product development the work relationship has ended).
Consider “Better safe than sorry” principle with employees
Strangely enough, the most common security incidents are not related to intentional attacks, but to a lack of awareness of information security responsibilities and the consequences to the person or organisation if information security is compromised.
By following the controls established by ISO 27001, an organisation can handle not only intentional attempts to compromise information, but also develop cost-effective conditions to ensure that people who will have access to sensitive information are legally aware of responsibilities and accountable for penalties related to information security.
Such conditions can contribute at least in two ways to improve security.
First, they can help minimise the risk of unintentional incidents, by making people aware of the minimum conditions to be followed.
Second, they can provide a solid grounds for legal actions, either against an employee or contractor that violates security rules, or fails to protect the organisation, by demonstrating a good level of due diligence.