Clients and potential customers have high standards when it comes to the IT security of their data at contracted companies. Certifications set standards, verify correct implementation, and thereby create trust in the IT infrastructure.
One of the prescribed measures is pre-employment screening for IT personnel in key positions. This article explains what this means for certified companies and how they can meet the requirements.
1. Which are the relevant certifications/directives?
The relevant directives include:
- ISO 27001
- C5 (cloud computing)
- TISAX (automotive industry)
- KRITIS (critical infrastructure)
As part of risk management, directives prescribe screening applicants for risk-sensitive positions. This applies to external candidates but also includes internal job changes to security-relevant positions (also known as in-employment screening).
Audits are carried out according to a risk-based approach: the scope of the audit is determined by the potential damage that can occur for a particular position.
2. The test criteria
The directives also provide information on what needs to be verified and how. For example, ISO 27001 lists prerequisites and requirements:
“This review must be appropriate in relation to business requirements, the classification of the information to be obtained and possible risks (A.7.1.1). In order to achieve this, the following, among other things, should be present, ensured or checked:
- a procedure for obtaining information (how and under which requirements)
- a list of relevant legal and ethical criteria
- the security check must be appropriate, based on risks and company needs
- the plausibility and authenticity of CVs, degrees and other documents
- the applicant’s trustworthiness and competence for the intended position”
(Source: ISO 27001:2020, Appendix A.7)
This brings up two basic principles of pre-employment screening: the appropriateness and the manner of obtaining information.
Appropriateness
The risk-based approach means that only items with the potential for economic loss can be examined. The measures taken must be proportionate to the potential risk.
Obtaining information
The verification of applicant data is regulated by the data protection requirements of the GDPR. This permits the processing of personal data for the purpose of aptitude testing in application procedures. The candidate must be informed of this and sign a declaration of notification and consent.
3. The content of the checks
While the ISO 27001 describes the scope of the audit in vague terms, the C5 guideline is more specific:
To the extent legally permissible, the review covers the following areas:
• Identity verification by means of an official ID document
• Verification of the curriculum vitae (CV)
• Verification of academic titles and degrees
• Certificate of good conduct or national equivalent
• Assessment of the risk of susceptibility to blackmail
The verification of qualifications and integrity can be carried out with the help of a specialized service provider. Depending on national legislation, national counterparts of the German certificate of good conduct are also permissible. […]
The extent to which a potential employee is susceptible to blackmail can be assessed, for example, by checking their creditworthiness.”
(Source: Cloud Computing Compliance Criteria Catalogue – C5:2020, 5.3 Staffing (HR), HR-01 Verification of qualification and trustworthiness)
This yields the check areas of identity, professional qualifications and trustworthiness. In the next step, suitable checks are assigned to these areas in order to obtain the required results.
4. Corresponding checks and test packages
An allocation can be made, for example, in two test levels. “Minimum” for a basic check (i.e. for low-risk positions) and “Enhanced” for a more in-depth screening (i.e. for high-risk positions).
| Check | Minimum | Enhanced |
| Highest educational attainment | ✔ | ✔ |
| CV plausibility | ✔ | ✔ |
| Address verification | ✔ | ✔ |
| Sanction/corruption lists | ✔ | ✔ |
| Employment history | ✔ | |
| Media reputation check | ✔ | |
| Credit check | ✔ | |
| Certificate of good conduct/criminal record check | ✔ |
Click here for the full list of check descriptions.
5. The audit report
Once screening is complete, a test report detailing the results of the individual checks is created. The report provides guidance for hiring decisions and fulfils the documentation requirements for subsequent audits.
By default, all personal data is fully and irrevocably deleted three months after the report is created.6. What do businesses stand to gain from pre-/in-employment screening?
✓ Mitigation of potential damage due to poor staffing decisions
✓ Aids decision-making in recruitment
✓ Compliance with the criteria set out in the directives
✓ Serves as proof of due diligence for audits
✓ Data-compliant, legally sound checks
✓ Supports the work of the HR department
7. The bottom line
Pre-employment screening in Germany is voluntary, except for companies holding the listed certifications. The required background checks are part of a catalog of measures and serve to minimize risk.
The directives are similar in their requirements for pre-employment screening. The ISO 27001 standard and C5 serve as a blueprint, and the other directives build on this. The test packages from Section 4 are therefore applicable to all certifications, including KRITIS.
You can also download a brochure containing this information here.
