Overview
ISO 27001 requires organizations to address information security across the full employment lifecycle — from screening candidates before hire, through defining security obligations in employment terms, to ensuring secure offboarding when people leave. This skill produces four auditor-ready documents covering controls A.6.1 (Screening), A.6.2 (Terms and conditions of employment), A.6.4 (Disciplinary process), A.6.5 (Responsibilities after termination), and A.5.4 (Management responsibilities for security).
For a step-by-step walkthrough of how this skill fits into the full ISMS flow, see the ISO 27001 ISMS workspace tutorial .
What It Covers
- HR Security Policy — umbrella policy covering screening, employment terms, management oversight, disciplinary process, and termination procedures
- Employment Security Clauses Template — standard security clauses for employment and service contracts (NDA, acceptable use, IP assignment, post-termination obligations)
- Pre-Employment Screening Checklist — background checks, reference verification, credential validation, with enhanced screening for sensitive roles
- Termination/Exit Security Procedure — access revocation, asset return, knowledge transfer, NDA reminder, and post-departure monitoring
Example Conversation
You: Create HR security documentation for our SaaS company. We need screening procedures for engineering hires, employment contract security clauses, and an exit procedure covering access revocation across our systems (GCP, GitHub, Okta, Google Workspace).
Agent: I’ll draft all 4 HR security documents based on the organization profile. Let me start with the employment security clauses template, then validate it.
Running hr_clause_completeness_checker…
RESULT: PASS — All 5 required clauses found: NDA/confidentiality reference, acceptable use policy, IP assignment clause, disciplinary consequences for violations, and post-termination obligations. Advisory: the template also includes data protection (LGPD) references and asset return provisions.
Now let me validate the exit procedure.
Running exit_procedure_coverage_validator…
RESULT: PASS — The termination procedure covers access revocation for all 4 systems identified in the organization profile: Okta (SSO deprovisioning), GCP (IAM role removal), GitHub (organization membership revocation), and Google Workspace (account suspension). Asset return checklist, knowledge transfer plan, NDA reminder, and exit interview steps are all present.
Excerpt of a generated exit procedure
Below is a condensed example from the access revocation section of the Termination/Exit Security Procedure:
## 4. Access Revocation Checklist <!-- ISO 27001 A.6.5 -->
The following access revocation steps shall be completed within 24 hours of the employee's last working day:
| System | Action | Responsible | Verified |
|--------|--------|-------------|----------|
| Okta (SSO) | Deactivate user account; revoke all SSO sessions | IT Operations | [ ] |
| GCP | Remove IAM roles and service account keys | Cloud Engineering | [ ] |
| GitHub | Remove from organization; revoke personal access tokens | Engineering Lead | [ ] |
| Google Workspace | Suspend account; transfer document ownership | IT Operations | [ ] |
| Physical access | Deactivate badge; collect physical keys | Facilities | [ ] |
All access revocation actions shall be logged and retained for [Retention Period].
Validation tools
The skill includes two extension tools:
HR clause completeness checker — Validates an employment contract security clauses template against ISO 27001 A.6.2. Required (errors if missing): (1) NDA/confidentiality reference, (2) acceptable use policy, (3) intellectual property assignment, (4) disciplinary consequences, (5) post-termination obligations. Recommended (warnings): data protection/LGPD reference, return of assets, security awareness training reference.
Exit procedure coverage validator — Validates a termination/exit security procedure against ISO 27001 A.6.5. Required (errors if missing): (1) access revocation, (2) asset return, (3) knowledge transfer, (4) NDA/ongoing confidentiality reminder. Recommended (warnings): exit interview, badge/credential return, email/communication handover. Optionally cross-references the organization profile to verify that the procedure covers all systems and departments.
Getting Started
Add your organization profile and any existing HR documents to the project workspace, then activate the HR & Personnel Security skill. The agent will guide you through gathering HR context, drafting all 4 documents, and validating them with the completeness and coverage tools.