Back

Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment.


CONTROL ID
12029
CONTROL TYPE
Human Resources Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Code of Conduct., CC ID: 04897

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Accountability for security is increased through clear job descriptions, employment agreements and policy awareness acknowledgements. It is important to communicate the general and specific security roles and responsibilities for all employees within their job descriptions. The job descriptions for … (Critical components of information security 1) 3), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Employment agreements include the obligations of the cloud provider's internal and external employees to comply with relevant laws, regulations and provisions regarding information security (see KOS-10). The security policy as well as the policies and instructions for information security derived fr… (Section 5.3 HR-02 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Information security aspects are considered in the employment contracts of the staff. (2.1.2 Requirements (should) Bullet 2, Information Security Assessment, Version 5.1)
  • Employment agreements shall incorporate provisions and/or terms for adherence to established information governance and security policies and must be signed by newly hired or on-boarded workforce personnel (e.g., full or part-time employee or contingent staff) prior to granting workforce personnel u… (HRS-03, Cloud Controls Matrix, v3.0)
  • Workforce personnel and external business relationships shall be informed of their responsibility and, if required, shall consent and/or contractually agree to report all information security events in a timely manner. Information security events shall be reported through predefined communications c… (SEF-03, Cloud Controls Matrix, v3.0)
  • The organization includes within the employment agreements provisions and/or terms for adherence to established information governance and security policies. (HRS-08, Cloud Controls Matrix, v4.0)
  • The contractual agreements with employees and contractors shall state their and the organization’s responsibilities for information security. (A.7.1.2 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The contractual agreements with employees and contractors should state their and the organization’s responsibilities for information security. (§ 7.1.2 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties. (§ 6.5 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • The employment contractual agreements should state the personnel's and the organization's responsibilities for information security. (§ 6.2 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)