M4.1.1 - HUMAN RESOURCES SECURITY POLICY Implementation Guidance
The entity shall develop and maintain a human resources security policy and associated security controls.
Back to M4.1.1 - P2 - HUMAN RESOURCES SECURITY POLICY
Critical entities shall also take into account any other NESA’s relevant issuances, guidance, and activities in this regard.
The human resources security policy facilitates the implementation of the associated controls along the entire employment lifecycle: prior to employment, during employment, and termination or change of employment. The policy can, for example, contain:
- A. Scope of the policy
- B. Management roles and responsibilities during each phase of the employment lifecycle
- C. Employment terms and conditions
- D. Required information security awareness and training during employment in line with M3.1.1
- E. Employment termination procedures and checks
The human resources policy can be included as part of the general information security policy, in a single policy document, or can be represented by multiple policies reflecting the complex nature of certain entities.
