SAMMY UI is optimized for resolutions with a width 1024px and higher.
Cloud Controls Matrix
Browse Cloud Controls...
HRS-01: Background Screening Policy and Procedures
Background Screening Policy and Procedures
HRS-01: Are background verification policies and procedures of all new employees (including but not limited to remote employees, contractors, and third parties) established, documented, approved, communicated, applied, evaluated, and maintained?
Personnel working under organizational control—including full-time employees, part-time employees, consultants, and temporary staff—should undergo a screening process appropriate for their role and responsibilities before granting access to the corporate network or systems.
Depending on the applicable legislation, inform candidates beforehand about screening activities. Personnel screening should consider all relevant privacy, PII protection, and employment-based legislation and should (when permitted) include the following:
a. Availability of satisfactory references.
b. Verification of the applicant’s curriculum vitae, including claimed academic and professional qualifications.
c. Independent identity verification (passports or similar documents).
d. Additional role-specific verifications, such as a credit review if the person will have fiscal responsibilities.
The organization should consider rescreening individuals at regular intervals. Rescreening may also occur if the employee’s responsibilities or access to confidential data have increased since their last screening.
The organization should have policies to determine who can screen personnel, how, when, and why the screening is required, where data is stored, and what the retention period constitutes.
All relevant data about personnel should be considered PII and managed accordingly. If the screening is done by an external entity or another organizational department, sensitive information like historic remuneration details should be redacted if irrelevant to the screening process.
Control implemented
Not applicable - A “N/A” answer indicates that the portion of the control in question is out of scope of the assessment. The “SSRM control ownership” column is to be left blank (e.g., greyed out), and optionally the CSP may explain why it is the case (“CSP Implementation Description”).
No - A “No” answer indicates that the portion of the control in question is not implemented, while in scope of the assessment. The CSP has to assign the implementation responsibility of the control to the relevant party under column “SSRM control ownership”, and optionally elaborate on the “why” (has not been implemented), and “what” has to be done for its implementation by that party.
Yes - A “Yes” answer indicates that the portion of the control in question is implemented. The CSP indicates the responsible and accountable parties (SSRM control ownership), and optionally elaborates on the implementation “how-to” per relevant party CSP and/or CSC.
Control ownership
CSP-owned - The CSP is entirely responsible and accountable for the CCM control implementation.
CSC-owned - The Cloud Service Customer (CSC) is entirely responsible and accountable for the CCM control implementation.
Third-party - The third-party CSP in the supply chain (e.g., an IaaS provider) is responsible for CCM control implementation, while the CSP is fully accountable.
Shared CSP and CSC - Both the CSP and CSC share CCM control implementation responsibility and accountability.
Shared CSP and third party - Any CCM control implementation responsibility is shared between CSP and the third party, but the CSP remains fully accountable.
Description

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for background verification of all new employees (including but not limited to remote employees, contractors, and third parties) according to local laws, regulations, ethics, and contractual constraints and proportional to the data classification to be accessed, the business requirements, and acceptable risk. Review and update the policies and procedures at least annually.

Background Screening Policy and Procedures
HRS-01: Are background verification policies and procedures designed according to local laws, regulations, ethics, and contractual constraints and proportional to the data classification to be accessed, business requirements, and acceptable risk?
Personnel working under organizational control—including full-time employees, part-time employees, consultants, and temporary staff—should undergo a screening process appropriate for their role and responsibilities before granting access to the corporate network or systems.
Depending on the applicable legislation, inform candidates beforehand about screening activities. Personnel screening should consider all relevant privacy, PII protection, and employment-based legislation and should (when permitted) include the following:
a. Availability of satisfactory references.
b. Verification of the applicant’s curriculum vitae, including claimed academic and professional qualifications.
c. Independent identity verification (passports or similar documents).
d. Additional role-specific verifications, such as a credit review if the person will have fiscal responsibilities.
The organization should consider rescreening individuals at regular intervals. Rescreening may also occur if the employee’s responsibilities or access to confidential data have increased since their last screening.
The organization should have policies to determine who can screen personnel, how, when, and why the screening is required, where data is stored, and what the retention period constitutes.
All relevant data about personnel should be considered PII and managed accordingly. If the screening is done by an external entity or another organizational department, sensitive information like historic remuneration details should be redacted if irrelevant to the screening process.
Control implemented
Not applicable - A “N/A” answer indicates that the portion of the control in question is out of scope of the assessment. The “SSRM control ownership” column is to be left blank (e.g., greyed out), and optionally the CSP may explain why it is the case (“CSP Implementation Description”).
No - A “No” answer indicates that the portion of the control in question is not implemented, while in scope of the assessment. The CSP has to assign the implementation responsibility of the control to the relevant party under column “SSRM control ownership”, and optionally elaborate on the “why” (has not been implemented), and “what” has to be done for its implementation by that party.
Yes - A “Yes” answer indicates that the portion of the control in question is implemented. The CSP indicates the responsible and accountable parties (SSRM control ownership), and optionally elaborates on the implementation “how-to” per relevant party CSP and/or CSC.
Control ownership
CSP-owned - The CSP is entirely responsible and accountable for the CCM control implementation.
CSC-owned - The Cloud Service Customer (CSC) is entirely responsible and accountable for the CCM control implementation.
Third-party - The third-party CSP in the supply chain (e.g., an IaaS provider) is responsible for CCM control implementation, while the CSP is fully accountable.
Shared CSP and CSC - Both the CSP and CSC share CCM control implementation responsibility and accountability.
Shared CSP and third party - Any CCM control implementation responsibility is shared between CSP and the third party, but the CSP remains fully accountable.
Description

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for background verification of all new employees (including but not limited to remote employees, contractors, and third parties) according to local laws, regulations, ethics, and contractual constraints and proportional to the data classification to be accessed, the business requirements, and acceptable risk. Review and update the policies and procedures at least annually.

Background Screening Policy and Procedures
HRS-01: Are background verification policies and procedures reviewed and updated at least annually?
Personnel working under organizational control—including full-time employees, part-time employees, consultants, and temporary staff—should undergo a screening process appropriate for their role and responsibilities before granting access to the corporate network or systems.
Depending on the applicable legislation, inform candidates beforehand about screening activities. Personnel screening should consider all relevant privacy, PII protection, and employment-based legislation and should (when permitted) include the following:
a. Availability of satisfactory references.
b. Verification of the applicant’s curriculum vitae, including claimed academic and professional qualifications.
c. Independent identity verification (passports or similar documents).
d. Additional role-specific verifications, such as a credit review if the person will have fiscal responsibilities.
The organization should consider rescreening individuals at regular intervals. Rescreening may also occur if the employee’s responsibilities or access to confidential data have increased since their last screening.
The organization should have policies to determine who can screen personnel, how, when, and why the screening is required, where data is stored, and what the retention period constitutes.
All relevant data about personnel should be considered PII and managed accordingly. If the screening is done by an external entity or another organizational department, sensitive information like historic remuneration details should be redacted if irrelevant to the screening process.
Control implemented
Not applicable - A “N/A” answer indicates that the portion of the control in question is out of scope of the assessment. The “SSRM control ownership” column is to be left blank (e.g., greyed out), and optionally the CSP may explain why it is the case (“CSP Implementation Description”).
No - A “No” answer indicates that the portion of the control in question is not implemented, while in scope of the assessment. The CSP has to assign the implementation responsibility of the control to the relevant party under column “SSRM control ownership”, and optionally elaborate on the “why” (has not been implemented), and “what” has to be done for its implementation by that party.
Yes - A “Yes” answer indicates that the portion of the control in question is implemented. The CSP indicates the responsible and accountable parties (SSRM control ownership), and optionally elaborates on the implementation “how-to” per relevant party CSP and/or CSC.
Control ownership
CSP-owned - The CSP is entirely responsible and accountable for the CCM control implementation.
CSC-owned - The Cloud Service Customer (CSC) is entirely responsible and accountable for the CCM control implementation.
Third-party - The third-party CSP in the supply chain (e.g., an IaaS provider) is responsible for CCM control implementation, while the CSP is fully accountable.
Shared CSP and CSC - Both the CSP and CSC share CCM control implementation responsibility and accountability.
Shared CSP and third party - Any CCM control implementation responsibility is shared between CSP and the third party, but the CSP remains fully accountable.
Description

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for background verification of all new employees (including but not limited to remote employees, contractors, and third parties) according to local laws, regulations, ethics, and contractual constraints and proportional to the data classification to be accessed, the business requirements, and acceptable risk. Review and update the policies and procedures at least annually.