# HR & Personnel Security

> Draft and validate HR security documents covering the full employment lifecycle: pre-employment screening, employment contract security clauses, management security responsibilities, disciplinary process framework, and termination/exit security procedures aligned with ISO 27001:2022 Annex A controls A.6.1, A.6.2, A.6.4, A.6.5, and A.5.4.



Tags: ISO 27001, A.6.1, A.6.2, A.6.4, A.6.5, A.5.4, ISMS, HR Security, Personnel Security, Compliance


## Example Prompts

- Create HR security policies for our ISO 27001 certification
- Draft employment contract security clauses for new hires
- Build a pre-employment screening checklist for our engineering team
- Document the termination and exit security procedure
- Validate our HR security documents for ISO 27001 compliance

URL: https://rakenne.app/skills/iso27001-hr-security/index.md

Try this skill: https://rakenne.app/a/?skill=iso27001-hr-security



## Overview

ISO 27001 requires organizations to address information security across the full employment lifecycle — from screening candidates before hire, through defining security obligations in employment terms, to ensuring secure offboarding when people leave. This skill produces four auditor-ready documents covering controls A.6.1 (Screening), A.6.2 (Terms and conditions of employment), A.6.4 (Disciplinary process), A.6.5 (Responsibilities after termination), and A.5.4 (Management responsibilities for security).

For a step-by-step walkthrough of how this skill fits into the full ISMS flow, see the [**ISO 27001 ISMS workspace tutorial**](/learn/tutorials/iso27001-isms-workspace-guide/).

### What It Covers

- **HR Security Policy** — umbrella policy covering screening, employment terms, management oversight, disciplinary process, and termination procedures
- **Employment Security Clauses Template** — standard security clauses for employment and service contracts (NDA, acceptable use, IP assignment, post-termination obligations)
- **Pre-Employment Screening Checklist** — background checks, reference verification, credential validation, with enhanced screening for sensitive roles
- **Termination/Exit Security Procedure** — access revocation, asset return, knowledge transfer, NDA reminder, and post-departure monitoring

## Example Conversation

> **You:** Create HR security documentation for our SaaS company. We need screening procedures for engineering hires, employment contract security clauses, and an exit procedure covering access revocation across our systems (GCP, GitHub, Okta, Google Workspace).
>
> **Agent:** I'll draft all 4 HR security documents based on the organization profile. Let me start with the employment security clauses template, then validate it.
>
> Running **hr_clause_completeness_checker**...
>
> **RESULT: PASS** — All 5 required clauses found: NDA/confidentiality reference, acceptable use policy, IP assignment clause, disciplinary consequences for violations, and post-termination obligations. Advisory: the template also includes data protection (LGPD) references and asset return provisions.
>
> Now let me validate the exit procedure.
>
> Running **exit_procedure_coverage_validator**...
>
> **RESULT: PASS** — The termination procedure covers access revocation for all 4 systems identified in the organization profile: Okta (SSO deprovisioning), GCP (IAM role removal), GitHub (organization membership revocation), and Google Workspace (account suspension). Asset return checklist, knowledge transfer plan, NDA reminder, and exit interview steps are all present.

## Excerpt of a generated exit procedure

Below is a condensed example from the access revocation section of the Termination/Exit Security Procedure:

```markdown
## 4. Access Revocation Checklist <!-- ISO 27001 A.6.5 -->

The following access revocation steps shall be completed within 24 hours of the employee's last working day:

| System | Action | Responsible | Verified |
|--------|--------|-------------|----------|
| Okta (SSO) | Deactivate user account; revoke all SSO sessions | IT Operations | [ ] |
| GCP | Remove IAM roles and service account keys | Cloud Engineering | [ ] |
| GitHub | Remove from organization; revoke personal access tokens | Engineering Lead | [ ] |
| Google Workspace | Suspend account; transfer document ownership | IT Operations | [ ] |
| Physical access | Deactivate badge; collect physical keys | Facilities | [ ] |

All access revocation actions shall be logged and retained for [Retention Period].
```

## Validation tools

The skill includes two extension tools:

- **HR clause completeness checker** — Validates an employment contract security clauses template against ISO 27001 A.6.2. **Required (errors if missing):** (1) NDA/confidentiality reference, (2) acceptable use policy, (3) intellectual property assignment, (4) disciplinary consequences, (5) post-termination obligations. **Recommended (warnings):** data protection/LGPD reference, return of assets, security awareness training reference.

- **Exit procedure coverage validator** — Validates a termination/exit security procedure against ISO 27001 A.6.5. **Required (errors if missing):** (1) access revocation, (2) asset return, (3) knowledge transfer, (4) NDA/ongoing confidentiality reminder. **Recommended (warnings):** exit interview, badge/credential return, email/communication handover. Optionally cross-references the organization profile to verify that the procedure covers all systems and departments.

## Getting Started

Add your organization profile and any existing HR documents to the project workspace, then activate the *HR & Personnel Security* skill. The agent will guide you through gathering HR context, drafting all 4 documents, and validating them with the completeness and coverage tools.



---

Back to [Skill Library](https://rakenne.app/skills/index.md)