Human Resources Security Policy

1. Purpose and Scope

This policy defines how the organisation manages human resources security to ensure confidentiality, integrity, and availability of information assets. It applies to all employees, contractors, suppliers, and partners throughout the employment lifecycle (pre‑employment, employment, and termination).

Policy Statements:

• HR security controls are documented and enforced, consistent with ISO/IEC 27001:2022 Annex A.7.1 (Human Resource Security).
• Workforce security obligations align with HIPAA Security Rule §164.308(a)(2) (Workforce Security).
• Vendor and partner HR security obligations are integrated into contracts (SOC 2 CC2 Human Resources Criteria).
• Employee instructions for data handling follow GDPR Article 29 (Processing under Controller’s Instructions).
• Governance oversight is provided by the board, consistent with ISO/IEC 38500:2015 Clause 5.1–5.6 and, where applicable to the organisation’s jurisdiction, instruments such as US SOX Section 404 and equivalent national governance codes.

2. Governance and Accountability

HR security responsibilities are clearly defined and enforced.

Policy Statements:

• The board demonstrates leadership and commitment to HR security governance (ISO 27001 Clause 5.1).
• A formally appointed HR Security Manager is accountable for HR security standards (Clause 5.3).
• Department heads ensure compliance within their teams, with responsibilities documented in job descriptions.
• Quarterly HR security performance reports are presented to the Audit & Risk Committee in the form required by applicable governance instruments; representative reference points include US SOX Section 404, South Africa King IV Principle 12, and equivalent national codes.
• Collaborative HR security responsibilities with suppliers and partners are documented and reviewed annually (ISO 44001 Clause 5.2).
• HR security governance aligns with the COSO Internal Control — Integrated Framework (Principle 1: Governance & Culture) or equivalent internal-control framework adopted by the organisation.

3. Risk Management

HR security risks are identified, assessed, and treated systematically.

Policy Statements:

• Risk assessments include HR security risks quarterly (ISO 27001 Clause 6.1.2).
• Risk treatment plans are documented and approved (Clause 6.1.3).
• HR security risks are integrated into enterprise risk registers (ISO 22301 Clause 8.2).
• Shared risk registers with strategic partners include HR security risks (ISO 44001 Clause 6.3).
• HR security risk assessments are embedded into the organisation’s enterprise risk management framework — COSO ERM (Principle 6: Risk Identification & Assessment), ISO 31000:2018, or equivalent ERM framework adopted by the organisation.

4. Pre‑Employment Screening

Employees and contractors are vetted prior to engagement.

Policy Statements:

• Background checks are conducted before employment (ISO 27001 Annex A.7.1.1).
• Confidentiality agreements are signed prior to access to information assets (Annex A.7.1.2).
• Vendor contracts mandate pre‑employment screening for supplier staff (SOC 2 CC2.1).

5. Employment Responsibilities

Employees and contractors are accountable for security obligations.

Policy Statements:

• Security responsibilities are documented in job descriptions (ISO 27001 Annex A.7.2.1).
• Employees must comply with acceptable use policies (Annex A.8.1.3, PCI DSS Req. 12.3).
• Workforce obligations are documented under HIPAA Security Rule §164.308(a)(2).
• GDPR Article 29 requires employees to process data only under controller instructions.

6. Termination and Change of Employment

Access rights are revoked promptly upon termination or role change.

Policy Statements:

• Termination procedures include immediate revocation of access rights (ISO 27001 Annex A.7.3.1).
• Exit interviews reinforce confidentiality obligations.
• Vendor contracts mandate termination procedures for supplier staff (SOC 2 CC2.2).
• HR security incidents integrate with enterprise risk reporting channels (COSO Principle 17, or equivalent).

7. Training and Awareness

Employees and partners are trained to comply with HR security standards.

Policy Statements:

• Annual HR security training is mandatory (ISO 27001 Annex A.7.2.2, PCI DSS Req. 12.6).
• Role‑specific training is provided to HR staff and managers.
• Awareness campaigns reinforce HR security culture.
• Vendors must provide evidence of HR security training for their staff (SOC 2 CC6.3).

8. Compliance Obligations

HR security complies with applicable laws and standards.

Policy Statements:

• Obligations under applicable data protection and health-data law are integrated into HR security standards; representative regimes include EU GDPR, POPIA, HIPAA, and California CCPA/CPRA.
• Cross-border HR obligations follows the lawful transfer mechanisms of applicable data protection law in each operating jurisdiction; representative references include EU GDPR Chapter V and Mauritius DPA Section 36.
• The organisation maintains a living register of data protection obligations applicable to its jurisdictions of operation; representative reference points include Singapore PDPA, India DPDP Act, and Brazil LGPD.
• HR security obligations under the AU Convention on Cybersecurity (2014) are observed where the organisation operates in signatory states.

9. Audit and Assurance

Independent audits validate HR security effectiveness.

Policy Statements:

• Internal audits of HR security are conducted annually (ISO 27001 Clause 9.2).
• Management reviews HR security performance quarterly (Clause 9.3).
• External audits validate compliance with recognised assurance frameworks applicable to the organisation’s market context; representative reference: the cited SOC 2 criterion and equivalents under other accepted assurance frameworks.
• Corrective actions are tracked and verified (ISO 9001 continual improvement).

10. Appendices

• Appendix A: Pre‑Employment Screening Checklist.
• Appendix B: Confidentiality Agreement Template.
• Appendix C: HR Security Incident Escalation Flowchart.
• Appendix D: Termination Procedures Checklist.
• Appendix E: Vendor HR Security Agreement template.
• Appendix F: HR Security Training Curriculum.
• Appendix G: HR Security Audit Schedule.

Enterprise and Conglomerate implementation content will be added here.