Why HR security is tested in every SOC 2 and ISO 27001 audit
Human beings are the largest attack surface in any organisation. Phishing accounts for 36% of data breaches (Verizon DBIR 2024). Insider threats, credential misuse, and inadequate offboarding are among the top causes of security incidents at SaaS companies.
Yet HR security policies are often the last compliance item SaaS founders address — something to bolt on before an audit rather than embed in people processes from day one. That's a mistake, because auditors look at this area carefully and the evidence is unforgiving. Did you run background checks? Did you have employees sign confidentiality agreements? Did you actually revoke all access within 24 hours when someone left?
Here's what ISO 27001 and SOC 2 actually require.
What HR security frameworks require
| Framework | Reference | Requirement |
|---|---|---|
| ISO 27001:2022 | A.6.1 | Screening — background verification of all candidates before employment, commensurate with data sensitivity and role criticality |
| ISO 27001:2022 | A.6.2 | Terms and conditions of employment — employment contracts must include information security responsibilities |
| ISO 27001:2022 | A.6.3 | Information security awareness, education and training — all personnel receive appropriate training relevant to their role |
| ISO 27001:2022 | A.6.4 | Disciplinary process — documented process for security policy violations |
| ISO 27001:2022 | A.6.5 | Responsibilities after termination — returning assets, revoking access, confidentiality obligations survive employment |
| ISO 27001:2022 | A.6.6 | Confidentiality or non-disclosure agreements — formalised for employees and contractors with access to sensitive information |
| ISO 27001:2022 | A.6.7 | Remote working — policy and controls for remote workers accessing company systems |
| SOC 2 | CC1.1 | COSO Principle 1 — organisation demonstrates commitment to integrity and ethical values; background checks part of this |
| SOC 2 | CC1.4 | COSO Principle 4 — organisation demonstrates commitment to attracting, developing, and retaining competent individuals; security training |
| SOC 2 | CC6.2 | Prior to issuing system credentials, entity registers and authorises new users; background screening for privileged users |
| SOC 2 | CC6.3 | The entity removes access to protected information assets when access is no longer required |
| NIS2 | Art. 21(2)(g) | Human resources security — training and awareness for all personnel with system access responsibilities |
| HIPAA | §164.308(a)(3) | Workforce security — appropriate access for workforce members who work with ePHI; sanctions policy; training |
Pre-employment screening
ISO 27001 A.6.1 requires background verification commensurate with the classification of information to be accessed. For a SaaS company processing customer personal data (GDPR scope) or ePHI (HIPAA), "commensurate" means meaningful checks — not just LinkedIn profile verification.
Background check components to consider:
| Check Type | Recommended For | GDPR Consideration |
|---|---|---|
| Identity verification | All roles | Proportionate; ID document check is standard |
| Right to work check | All roles — legal requirement in most jurisdictions | Mandatory — employment law requirement |
| Employment history verification | All roles | Contact prior employers — candidate consent required |
| Education/qualification verification | Roles where qualifications are material | Only where qualification is a genuine job requirement |
| Criminal record check (DBS/CRB/equivalent) | Roles with access to vulnerable individuals, financial data, ePHI | GDPR Art. 10 — only lawful under specific national law; must be proportionate |
| Credit check | Roles with significant financial authority | GDPR — only where specifically justified; not standard for most SaaS roles |
| References | All roles (minimum 1-2) | Standard — candidate provides referees; straightforward lawful basis |
GDPR note: Criminal record checks are special category data processing under GDPR Art. 10. Most EU member states restrict when employers can conduct them. Checks should only be conducted for roles where the information is genuinely relevant (e.g. roles handling financial data, access to vulnerable users, security-clearance-level access). Always obtain candidate consent and document the justification.
For remote and contractor hires: apply the same screening standards as employees with equivalent access. "They're a contractor" is not a reason to skip screening for someone with production access.
Employment contracts and security clauses
ISO 27001 A.6.2 requires employment contracts to include information security responsibilities. This means your employment contract should contain:
- Acceptable use obligations — employee agrees to use company systems only for authorised business purposes
- Confidentiality obligation — employee agrees to maintain confidentiality of company, customer, and third-party information (survives termination)
- Security policy compliance — employee agrees to comply with information security policies and report incidents
- Intellectual property assignment — work product developed during employment belongs to the company
- Asset return obligation — employee agrees to return all company assets on termination
- Disciplinary consequences — reference to consequences of security policy violations
For contractors, developers, and third parties with access to sensitive systems: a separate NDA or confidentiality agreement should be executed before access is granted. NDAs should be mutual (both parties' confidential information protected) and cover: definition of confidential information, permitted disclosures, return/destruction of information, survival period (typically 2–5 years post-engagement).
Security awareness training
ISO 27001 A.6.3 and SOC 2 CC1.4 both require security awareness training. HIPAA §164.308(a)(5) makes it a mandatory implementation specification. NIS2 Art. 21(2)(g) requires training for all personnel.
Minimum viable security awareness programme for SaaS companies:
| Training Element | Who | Frequency | Evidence to Retain |
|---|---|---|---|
| General security awareness (phishing, password, device security) | All employees and contractors | Annual (minimum); onboarding within first week | Completion records with timestamps; quiz scores if applicable |
| Data protection / GDPR training | All employees handling personal data | Annual; after significant regulatory change | Completion records; certificate of completion |
| Phishing simulation | All employees | Quarterly (recommended); at least semi-annually | Click rate metrics; follow-up training for clicked |
| Secure coding training | All engineers and developers | Annual; OWASP Top 10 updates | Completion records; platform certificates |
| Role-specific training | Privileged users, finance, HR | Annual | Role-specific curriculum and completion evidence |
| Incident response procedures | Incident response team + escalation contacts | Annual; after tabletop exercises | Exercise records; updated runbooks |
SOC 2 audit evidence: auditors will typically ask for training completion records showing all employees completed training during the audit period. They sample employee rosters against completion lists. A 95%+ completion rate is expected — chase down the exceptions.
Offboarding — the highest-risk process in HR security
ISO 27001 A.6.5 and SOC 2 CC6.3 both require timely access revocation on termination. This is where many companies fail audits — not because they don't revoke access, but because they can't prove they revoked access within their stated timeframe.
Offboarding checklist for immediate actions (same-day as departure notification):
- ☐ Deactivate SSO account (disables all SSO-connected apps immediately)
- ☐ Disable email account and set out-of-office
- ☐ Revoke all production system access (cloud console, databases, admin panels)
- ☐ Remove from all security groups and shared accounts
- ☐ Revoke SSH keys and API keys issued to the individual
- ☐ Remove from GitHub/GitLab organisation
- ☐ Disable mobile device MDM enrollment
- ☐ Invalidate active sessions and MFA tokens
Offboarding checklist for actions within 24–48 hours:
- ☐ Remove from all SaaS application accounts (Slack, Jira, Notion, HubSpot, etc.)
- ☐ Collect and verify return of hardware (laptop, access cards, devices)
- ☐ Rotate any shared secrets or passwords the individual may have known
- ☐ Transfer ownership of documents and accounts
- ☐ Log all offboarding actions in HR system / access review log
Evidence for auditors: maintain a timestamped offboarding checklist per departing employee showing when each access was revoked. Auditors will sample 3–5 offboarding events from the audit period and verify access was revoked within the company's stated SLA.
Common failure: SSO deactivation is done promptly but local credentials and API keys are forgotten. Shared service accounts (e.g. shared database credentials) are the highest risk — rotate these on every departure of someone with access.
Remote working controls (ISO 27001 A.6.7)
ISO 27001:2022 introduced A.6.7 specifically for remote and hybrid working. Controls to address:
- Encrypted storage on all remote-working devices (FileVault on Mac, BitLocker on Windows)
- Screen lock auto-activates after defined period (5–10 minutes)
- No use of unsecured public Wi-Fi for accessing production systems
- VPN or ZTNA required for production system access from non-office locations
- Clean desk / clean screen policy for customer-sensitive work
- Reporting procedure for lost or stolen devices
Disciplinary process for security violations
ISO 27001 A.6.4 requires a disciplinary process for security policy violations. This doesn't mean firing someone for clicking a phishing link — it means having a documented, proportionate process that escalates based on severity and intent:
- Accidental/minor: Additional training; verbal/written reminder
- Negligent: Formal written warning; mandatory remedial training; increased monitoring
- Deliberate/serious: Immediate access revocation pending investigation; potential termination; legal action
- Criminal: Immediate suspension; law enforcement referral; legal action
Document the process in your HR policy and reference it in your Information Security Policy. You don't need to have used it — just having a documented process satisfies the audit requirement.
Minimum viable HR security programme for early-stage SaaS
- ☐ Employment contracts include confidentiality and security obligations
- ☐ Pre-employment screening documented (identity check + employment reference + right to work)
- ☐ All new starters complete security awareness training within first week
- ☐ Annual security awareness training tracked with completion records
- ☐ Offboarding checklist exists and is completed within 24h of departure
- ☐ Access review conducted quarterly (existing employees, not just leavers)
- ☐ HR system or spreadsheet records offboarding events with timestamps
- ☐ NDAs / confidentiality agreements executed for contractors and third parties with system access
Generate your security policies
Related generators: Security Awareness Training Policy Generator, Information Security Policy, Access Control Policy, IT & BYOD Policy, SOC 2 Gap Assessment, ISO 27001 Gap Assessment.
Related reading: Security Awareness Training Programme Guide, Access Control Policy Guide, SOC 2 Gap Analysis Guide.
⚠️ This guide is for informational purposes only and does not constitute legal or HR advice. Background check requirements and employment law vary significantly by jurisdiction. Always consult qualified employment law counsel before implementing screening programmes.