"Background verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks."[1]

"The employment contractual agreements shall state the personnel’s and the organization’s responsibilities for information security."[1]

"Personnel of the organization and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function."[1]

"A disciplinary process shall be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation."[1]

"Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties."[1]

"Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties."[1]

"Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises."[1]

"The organization shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner."[1]