HRS-002 Pre-Employment Background Screening
Description
Background screening is conducted on all candidates before system access is granted, proportional to the sensitivity of the role and applicable laws. Screening elements are defined per role risk level and may include identity verification, employment history, criminal record, and reference checks. Contractors and third parties with privileged access are subject to equivalent requirements.
Rationale
Access to sensitive systems and data requires confidence in the identity and integrity of the individuals granted that access. Background screening provides a documented, repeatable mechanism for establishing that confidence before access is provisioned.
Framework Mappings (5)
| HRS-01 | Background Screening Policy and Procedures | full |
| 6.1 | Screening | full |
| PS-2 | Position Risk Designation | partial |
| PS-3 | Personnel Screening | full |
| SA-21 | Developer Screening | partial |
Evidence (2)
Background screening completion records for a representative sample of employees and contractors, confirming screening was completed before access was granted.
Example: Background check completion certificates or pass/fail records from a background screening provider (Checkr, Sterling, HireRight, or equivalent) for a sample of recent hires and privileged-access contractors — showing completion date preceding the access provisioning date.
Test: Request background screening records for a sample of at least five employees hired in the last 12 months and at least two contractors with privileged access. For each, verify: (1) a background check was completed, (2) the completion date is before the individual's first access provisioning date, (3) the scope of the check matches the role's risk classification.
Background screening policy or procedure defining required screening elements per role risk level.
Example: Pre-Employment Screening Procedure (Confluence / HR policy), listing: role risk tiers, required screening elements per tier (e.g. identity, employment history, criminal record, right-to-work), process for screening contractors and third parties, and handling of adverse findings.
Test: Request the background screening procedure. Verify: (1) role risk tiers are defined, (2) required screening elements are specified per tier, (3) contractors and privileged-access third parties are explicitly included in scope, (4) a process for handling adverse or incomplete screening results is described, (5) the document is approved and dated within the last 12 months.
Questions (3)
Does your organization conduct background screening on all candidates before system access is granted, proportional to the sensitivity of the role?
Screening should be completed before access provisioning. The scope of the check should match a defined role risk tier (identity, employment history, criminal record, etc.).
Which of the following personnel categories are subject to pre-employment background screening in your organization?
ISO 27001 and most enterprise customer requirements expect screening for contractors and third parties with privileged access, not just direct employees.
Is background screening completion documented and traceable, confirming the check was completed before the individual's first system access date?
Screening completion certificates or provider pass/fail records should be on file, with a completion date that pre-dates the access provisioning date.