Why background checks matter
Background checks are a vital part of ensuring the security and integrity of your organization. They help verify the trustworthiness of employees and contractors who handle sensitive data or access critical systems, reducing the risk of insider threats and maintaining compliance with frameworks like SOC 2 and ISO 27001.
Our Recommendations
Our recommendation for cyber security audit compliance and best practice is to perform background checks on all in-scope personnel. This typically means all employees and those contractors who have access to any sensitive data.
Background checks do not generally need to be performed retroactively. However, you may want to consider standardizing this workflow across your company.
US vs Non-US in-scope personnel
In-scope personnel refers to employees, contractors, or other individuals whose roles require them to access sensitive data, systems, or environments. Typically, this includes positions such as software developers, IT administrators, security personnel, and customer-facing roles that involve handling confidential information.
Background check controls within Secureframe operate differently depending on where your personnel are located or their employment type.
- U.S. In-scope Personnel: Ensure that for all U.S. personnel a background check is completed within 30 days of employment.
- Non-U.S. In-scope Personnel: Personnel outside of U.S. will not need to undergo a background check within the Secureframe system to operate the background check control. Instead, after declaring the nation in which they are employed, they will be requested to submit a resume and reference documentation.
Learn more about how to Initiate Background Checks in Secureframe or how to handle background evidence if you have recently performed a background check.
Background Check Scope Checklist
- Employees with access to sensitive customer data
- Contractors with access to production environments
- Personnel responsible for system administration
- Any role identified as "critical" in your risk assessment
Frequently Asked Questions (FAQ)
Do we also have to do background checks on personnel in Germany?
- Background checks depend on local laws. The requirement is simply to perform due diligence on people who will be accessing company information.
- Certain countries like Canada, India, and China have unique background check laws and a resume can be sufficient evidence if background checks are considered illegal in certain countries.
What to do for background checks if there are no new hires during audit window?
- This is a non-occurence so the client does not need to provide anything to the auditor for background checks.
My auditor said I only need to run background checks on those who were hired during the audit window, but I see no way to exclude users?
- For this scenario, you can utilize our Except field.
- Head to Personnel Settings > Onboarding tab, then under Background look for the "except" field. You can create a new group for those users who do not need a BG check and add that group to the except field. This will allow them to skip the background check portion in employee onboarding and exclude them from any tests.
What are the background requirements for specific frameworks like ISO 27001 and ISO 9001?
- Secureframe's Requirements: Background checks are required only for U.S. based employees. For non-U.S. employees, uploading a resume is sufficient.
- ISO 27001 Compliance: The primary requirement is due diligence for competence. So resumes are acceptable for international employees, or any other form of due diligence (including background check but not hard required)
- ISO 9001 Compliance: Based on the requirements, it's not required.
What should I do if background checks are not legally permitted in a specific country?
- If background checks are restricted, consider alternative methods such as verifying employment references, educational qualifications, and conducting structured interviews. Always consult local labor laws to ensure compliance.
Comments
0 comments
Please sign in to leave a comment.