Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook
Academy home
Understanding HR Security Basics for ISO 27001 & NIS2 Compliance

Understanding the significance of HR security in achieving compliance with both ISO 27001 and NIS2 cannot be overstated. These frameworks play a vital role in maintaining the robustness and resilience of your organization's information security base. Whereas ISO 27001 provides an extensive set of best practices for information security management, NIS2 emphasizes having documented measures on HR security.

Below, we explore the key areas and best practices in which your HR team can help you achieve ISO 27001 and NIS2 compliance.

The Role of HR in Information Security

Human Resource (HR) departments play an essential role in preserving information security within organizations. This involves implementing security policies, procedures and best practices—critical activities that help achieve ISO 27001 and NIS2 compliance. This task may seem purely technical, but it combines both administrative and strategic efforts.

In order to maintain security and reduce risks, HR departments are tasked with the responsibility of developing and implementing reasonable security policies. These are key guidelines designed to protect an organization’s information systems from threats, whether external or internal. Procedures, on the other hand, refer to established methods of managing and safeguarding valuable data across various operational areas within the organization.

But the role of HR does not stop there. A significant part of HR's mission is to promote security awareness among employees. Regular security training sessions, suitable ways of communicating about current threats, and digital hygiene best practices all become part of HR's tool set. Informed employees are less likely to fall victim to cyber threats, and therefore are strengthening the company's overall security posture.

Tools like the guidelines can serve as instrumental resources for HR departments in fulfilling these roles. It provides invaluable insights and practical procedural guides that can be instrumental in setting a strong foundation for HR security.

See in the screenshot above: A tool, which is using a guidebook with guidelines and case examples for the employee's awareness training, is illustrated below, demonstrating its applicability and ease-of-use for HR practitioners in everyday operations. In this case, the HR can use the tool to activate guidelines for different employees as needed. Let's say you have a developer and a sales rep: they most likely have some common basic company guidelines, but the HR may want the sales rep to follow other additional guidelines than the developer and in the best case scenario, neither should have to read for them non-relevant guidelines.

HR Practices for ISO 27001 and NIS2 Compliance

In the journey to achieving compliance with ISO 27001 and NIS2, several critical HR practices come into focus. These practices not only enhance information security but also create a secure organizational culture. The following HR practices are vital steps towards achieving compliance with ISO 27001 and NIS2. With a committed and well-trained HR team, organizations can foster a culture of security awareness and resilience.

Recruitment and Onboarding

Examples of related ISO 27001 controls
6.1 Screening

6.2 Terms and conditions of employment
6.6 Confidentiality and non-disclosure agreements

Interestingly, a study by SHRM revealed that negligent hiring is the cause of 53% of all crime happening at work. This statistic emphasizes the critical role of background checks in preventing security threats and maintaining a safe work environment.

Therefore, the first stage of compliance starts when welcoming a new team member. A crucial part of recruiting includes the performance of thorough background checks and verification of credentials. HR teams play the vital role of ensuring only trustworthy individuals with proven integrity join their ranks. This is a significant initial safeguard against potential internal security threats.

Once on board, it is important that new hires receive a proper training on security policies and procedures. Equipped with this knowledge, they are in a position to uphold the organization's information security standards and expectations, thereby promoting a security-conscious work culture.

Access Control and Permissions

Examples of related ISO 27001 controls
5.15 Access control
5.17 Authentication information

Managing access to sensitive information is crucial in safeguarding an organization's data. Here is where role-based access control (RBAC) comes into play. This system, built on the principle of "least privilege", ensures employees only access the information necessary for their job roles. This is a good method of controlling access to sensitive data and mitigating risks of data misuse.

Regular review and updating of access rights are equally significant. Over time, personnel changes, job role shifts or policy changes may require adjustments to access controls. Regular audits allow for these adjustments, keeping the access control system relevant and effective.

Certain tools can help you keeping an overview of those responsibilities and remind you to keep the information up to date. See in the screenshot above: An example of how this topic can be handled using Cyberday as a tool.

Employee Guidelines, Awareness and Training

Examples of related ISO 27001 controls
6.3 Information security awareness, education and training
5.10 Acceptable use of information and other associated assets

5.37 Documented operating procedures
7.6 Working in secure areas

Continuous security awareness programs are crucial when maintaining and strengthening an organization's security posture. Regular training sessions keep employees informed of the most recent threats and best security practices, promoting a proactive approach to information security. In addition to that, regular reading and approving of guidelines will ensure that the employees will not forget the most important security measures and expectations.

Training on handling sensitive information securely cannot be overemphasized. Employees need to understand the value of the information they handle and the importance of treating it with the necessary caution. It is the HR's responsibility to provide this training alongside reinforcing the company's commitment to information security. There are many different ways of how awareness training can be done, such as:

  • Regular cyber security workshops
  • E-learning courses
  • Phishing simulation training
  • Guidelines
  • Information sessions on latest cyber threats

How every organization in the end is handling their awareness training, depends very much on their needs. However, for certain certifications, such as the ISO 27001 certification, you will need a proof of the awareness training, and therefore, using a tool can be beneficial.

Example of a guidebook with guidelines to read and accept as a tool for not only the awareness training of the employee, but also a tool for the HR to collect evidence of the awareness training and collecting statistics of the progress to ensure that the employees are actually proceeding with their training.

Employee Offboarding

Examples of related ISO 27001 controls
5.11 Return of assets

6.5 Responsibilities after termination or change of employment

When employees leave the organization, HR has the crucial role of ensuring a smooth offboarding process. Proper exit procedures should be in place to revoke access rights promptly and efficiently, thus closing any potential access points for an outgoing employee.

Furthermore, ensuring the return of company assets and termination of accounts helps maintain control over company property and information, mitigating risks of data leakage or unauthorized access. Keep in mind that the offboarding process needs to be documented for NIS2 compliance. The NIS2 directive emphasizes the importance of having documented procedures for all aspects of information security, including the offboarding process.


In conclusion, HR plays an essential role in maintaining the information security of an organization. Through strategic practices and procedures ranging from onboarding to offboarding, HR ensures compliance with essential guidelines like ISO 27001 and NIS2.

However, while the ISO 27001 and NIS2 directive, both aim at ensuring information security and resilience in organizations, they differ significantly in their approach towards HR security basics. ISO 27001 is more prescriptive and provides a set of best practices that organizations should follow. It outlines specific HR practices necessary for compliance, such as background checks during recruitment, training new hires on security policies, role-based access control, regular review of access rights, continuous security awareness programs, and proper exit procedures.

On the other hand, the NIS2 directive is less prescriptive and more flexible. It does not provide specific guidelines on HR practices but emphasizes that organizations need to have their measures on HR security documented. This allows organizations to tailor their HR security measures according to their specific needs and circumstances. This also means that organizations need to invest more time and resources in developing and documenting their HR security measures, which is why we recommend to benefit from the ISO 27001 best practices when implementing measures for NIS2 compliance.

It is good to keep in mind that information security is not a destination but an ongoing journey that requires consistent effort, continuous learning, and everyday efforts. With the right tools, practices, and collaboration across all departments, your organization can effectively manage its security risks and achieve ISO 27001 and NIS2 compliance. Keep exploring resources like Cyberday’s Guidebook for more insights and practical examples.


Share article