HRS-001 Personnel Security Policy
Description
A documented personnel security policy exists, covering pre-employment screening, terms and conditions of employment, information security obligations during employment, and requirements on termination. The policy is communicated to all personnel and reviewed at defined intervals.
Rationale
People are both a critical control and a primary risk vector. A documented policy establishes the expected security behaviors and obligations throughout the employment lifecycle, providing the baseline for consistent enforcement.
Framework Mappings (3)
| HRS-09 | Personnel Roles and Responsibilities | partial |
| 6.2 | Terms and conditions of employment | partial |
| PS-1 | Policy and Procedures | full |
Evidence (2)
Personnel security policy covering pre-employment, employment obligations, and termination requirements — approved by management and communicated to all personnel.
Example: Personnel Security Policy (Confluence / policy management system), covering: background screening requirements, security obligations during employment, disciplinary consequences, termination procedures, and acknowledgement requirement — with named approver and approval date.
Test: Request the personnel security policy. Verify: (1) pre-employment screening requirements are stated, (2) ongoing employment security obligations are described, (3) termination and exit requirements are included, (4) the policy is approved by a named executive within the last 12 months, (5) evidence of communication to all staff exists (all-staff email, intranet, onboarding workflow).
Policy acknowledgement records confirming personnel have received and acknowledged the personnel security policy.
Example: Personnel security policy acknowledgement export from HRIS or training platform (BambooHR / Workday / KnowBe4), showing name, acknowledgement date, and policy version for all active employees.
Test: Export acknowledgement records. Verify: (1) all active employees have a recorded acknowledgement of the current policy version, (2) acknowledgement date is at or before the date of first system access for newer employees, (3) any gaps have an open remediation ticket.
Questions (2)
Does your organization have a documented personnel security policy covering pre-employment screening, employment security obligations, and termination requirements?
The policy should span the full employment lifecycle — from background screening before hire through to offboarding obligations — and be approved and communicated to all staff.
How do you confirm all personnel have received and acknowledged the personnel security policy?
An acknowledgement export showing all active employees with a recorded acknowledgement date at or before their first day of system access is the expected evidence.