Training Catalogue

    Why you should implement information security in your human resource management system


    To modernise information systems and address their disadvantages, information technology was employed. It is a tool that helps to grow, implement, and protect Information Systems. It is also utilised as a tool to reach business targets and business goals as well as optimise work processes. Such processes include human resource management which includes recruiting, training, developing and rewarding people in an organisation. These processes impact an organisation’s internal processes, essential competencies, relevant markets, and organisational structure. All this requires information security. Information security controls ensure that employees and contractors in an organisation understand their responsibilities, are fit for the roles in which they are placed, and protect the information held by an organisation.

    Human Resources (HR) controls in the workplace

    A.7.1.1 Screening

    A good control measure covers background authentication and the checking of competency of all applicants for employment. All the relevant regulations and ethics should be taken into consideration and should align with the business requirements, namely the classification of the information that will be retrieved and the associated risks. HR controls all stages of employment benefits in the organisation in a way that reduces the likelihood of accidental or malicious threats. It is essential to consistently have procedures in place to avoid any risks. Ideally, this will be affiliated with the organisation’s overall hiring process.

    A.7.1.2 Terms & Conditions of Employment

    A contract with employees and contractors must state their and an organisation’s responsibilities with regards to information security. This contract is important and includes general and individual responsibilities which carry legal weight. This is also imperative with regards to The Protection of Personal Information Act 4 of 2013 and the Promotion of Access to Information Act 2 of 2000.

    A.7.2.1 Management responsibilities

    Good control defines how employees and contractors apply information security in compliance with the policies and procedures of an organisation. The duties of managers should include requirements to:
    Ensure that those they are responsible for comprehend the information security threats, vulnerabilities and controls relevant to their job roles and obtain regular training (as per A7.2.2).
    Ensure buy-in to practical and suitable support for appropriate information security policies and controls, and emphasise the requirements of the terms and conditions of employment. Managers play an imperative role in ensuring security awareness and thoroughness throughout the organisation by creating an appropriate “security culture”.

    A.7.2.2 Information Security Awareness, Education & Training

    All employees and related contractors must obtain appropriate awareness education and training to perform their job well and securely. They must receive consistent updates in organisational policies and procedures when they are changed, along with a good consideration of the applicable legislation that affects them in their role. Each organisation needs to be able to prove that training and compliance have been considered and note how training and awareness are delivered to give staff and contractors the best chance of understanding.

    A.7.2.3 Disciplinary Process

    There needs to be a documented disciplinary process in place that is communicated (in line with A7.2.2 above) which will begin in the case of any security breaches.

    A.7.3.1 Termination or change of employment responsibilities

    Information security duties and responsibilities that continue to be valid after termination or change during the term of employment must be clear, communicated to the employees or contractors and implemented. Cases include keeping information that belongs to the organisation within it and keeping it private.

    It is essential to ensure that information remains protected after an employee or contractor leaves the organisation, as people themselves are walking data stores. The terms and conditions of the contract should emphasise this, and the leaver’s contract termination process should serve as a reminder to individuals that they have responsibilities to the organisation even after they have left.

    Besides termination and exit, if an employee changes roles e.g., moving from operations to sales, it should be ensured that they no longer have access to information assets that are not mandatory in their new role.


    When it comes to HR departments, the most important thing to do with regard to information security is to be proactive rather than reactive. Technology, and the potential for breaches, is prevalent in every facet of business today. It’s not enough to rely on your IT department to make sure staff are educated about data loss and how to prevent it. An organisation must ensure training takes place to educate employees about their roles in keeping data safe. They should be aware of what the security protocols are, how to develop and use strong passwords and what the process is should they suspect trouble or have lost a device that they also use for business. Human Resources professionals are accountable for ensuring that employees comply with security policies. The HR department is essential in ensuring that information security policies are correctly presented, documented, communicated, and enforced.

    Should you need assistance with implementing information security in your human resource management system, send an email to or contact us on 08610 99473 (WWISE) or 021 525 9159 (Cape Town).

    Recent Articles