A.6.1 — Are background screening checks performed on candidates before employment, proportionate to the role?
Demonstrate that the organization performs background screening checks on all candidates prior to employment commensurate with role sensitivity, access privileges, and regulatory requirements, and that records of completed checks are maintained.
Description
What this control does
This control requires organizations to conduct background verification checks on employment candidates before hiring, with the scope and depth of screening proportionate to the sensitivity of the role, access levels required, and applicable legal requirements. Screening may include identity verification, criminal record checks, employment history validation, education credential verification, credit checks (where permitted), and reference checks. The control ensures that individuals granted access to organizational assets, facilities, and information systems have been vetted to reduce insider threat risk and maintain trust in the workforce.
Control objective
What auditing this proves
Demonstrate that the organization performs background screening checks on all candidates prior to employment commensurate with role sensitivity, access privileges, and regulatory requirements, and that records of completed checks are maintained.
Associated risks
Risks this control addresses
- Hiring individuals with undisclosed criminal backgrounds who may engage in fraud, theft, or sabotage once granted system access
- Granting privileged access to candidates who falsified credentials or employment history, leading to unqualified personnel managing critical security controls
- Insider threats from employees with unreported conflicts of interest, financial distress, or affiliations with threat actors
- Regulatory non-compliance and penalties where background checks are mandated by law or industry standards (e.g., financial services, healthcare, government contracting)
- Reputational damage and loss of customer trust following security incidents caused by inadequately vetted personnel
- Unauthorized disclosure of sensitive information by employees who were not screened for trustworthiness or history of policy violations
- Physical security breaches when individuals with violent or theft-related criminal histories are given facility access without screening
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's background screening policy, including scope, types of checks performed, role-based screening matrices, and legal compliance provisions.
- Request a complete list of all employees hired within the past 12 months, including role titles, hire dates, and classification of access levels (e.g., privileged, standard, contractor).
- Select a representative sample of at least 15-20 new hires across different role types, including high-privilege positions (e.g., system administrators, finance staff, executives).
- For each sampled employee, request evidence of completed background checks, including third-party provider reports, dates conducted, scope of checks performed, and approval records.
- Verify that the scope of background checks performed aligns with role sensitivity as defined in policy (e.g., criminal checks for all roles, credit checks for financial roles, enhanced checks for privileged access).
- Confirm that all background checks were completed and documented before the employee's start date or before granting system access, with no exceptions lacking formal risk acceptance.
- Interview HR personnel to understand the process for handling adverse findings, escalation procedures, and decision-making authority for hiring decisions with screening concerns.
- Review contracts with third-party background screening providers to confirm service scope, turnaround times, data protection provisions, and compliance with applicable privacy laws.