Skip to contentCYBERINFO
|

Control 6.1 : Screening

Summary

Background verification checks on all candidates for employment should be carried out prior to joining the organization. This ensures that personnel are suitable for their roles and reduces the risk of internal threats or fraud.

Applicability

In-Scope: Mandatory for all organizations to verify the identity and professional history of staff. It is a foundational requirement for security clearance and regulatory compliance, particularly for specialists handling sensitive cloud infrastructure.

Out-of-Scope: Never out-of-scope, though the depth of screening may vary based on the sensitivity of the role.

Implementation Guidance

Microsoft 365 / Entra ID

  • Data Privacy: Store sensitive screening results (e.g., background check reports) in a restricted SharePoint library with Highly Confidential sensitivity labels and strictly limited access.

  • Access Gating: Ensure that Entra ID accounts are only provisioned after the HR department confirms that all screening requirements have been met.

  • Digital Identity: Use the screening process to verify the legal identity of the user before issuing their unique digital credentials for the tenant.

Evidence Checklist

  • Screening Policy: Documented procedures defining the level of background checks required for different roles.

  • Completed Files: Anonymized evidence of background checks (criminal, professional, or academic) for recently hired staff.

  • Verification Records: Logs or checklists showing that screening was completed before technical access was granted.

Practical Audit Advice

Here are some questions the auditor might ask:

  • How does the organization determine which roles require more intensive screening (e.g., global administrators vs. standard users)?

  • What is the process for screening external contractors or third-party consultants who have access to your Microsoft 365 environment?

  • Can you provide evidence that a specific employee's screening was finalized before their Entra ID account was activated?

  • How do you handle cases where a background check returns unsatisfactory results for an existing employee?