Traceable-Answer Reference / Human Resources
HRS-08 — Employment Agreement Content
Include in employment agreements terms requiring adherence to information governance and security policies.
Every framework that asks this
Answer HRS-08 once and it typically satisfies the equivalent control elsewhere. Altitude and confidence vary — a domain-level anchor is a starting point to verify, not an audited equivalence.
| Framework | Equivalent control(s) | Confidence |
|---|---|---|
| SOC 2 | CC1.1 | high |
| ISO 27001 | A.6.2 | high |
| NIST CSF 2.0 | PR.AT-01, PR.AT-02, GV.RR-02 (domain-level) | high |
| NIST 800-53 | PS-1, PS-2, PS-3, PS-4, PS-6, AT-2, AT-3 (domain-level) | high |
| SIG | Human Resources Security (domain-level) | high |
Full provenance and NIST 800-53 mappings: the framework crosswalk.
What the reviewer is really checking
The reviewer is establishing that access to their data is bounded by a real personnel lifecycle: vetting at hire, obligation while employed, and revocation at exit — each tied to an actual trigger rather than goodwill. They want to know whether background screening is performed where legally permitted (and how you handle jurisdictions where it is not), whether staff sign binding acceptable-use and confidentiality agreements, whether security-awareness training happens on a stated cadence and at onboarding, and — most sharply — whether access is revoked quickly and verifiably when someone is terminated. The underlying worry is concrete: a former employee or contractor whose credentials outlive their employment is a standing breach path into the buyer's environment, and an untrained insider is a phishing click away from the same outcome. Reviewers cross-check HRS answers against IAM: your off-boarding claim here should reconcile with your access-revocation claim there. They also probe contractors and third-party staff, not just employees, because access does not care about employment category. The real question is: 'Is every human who can touch our data screened, obligated, trained, and — the moment they leave — actually locked out?'
What a truthful, defensible answer contains
A defensible HRS answer describes your personnel-security lifecycle in operational terms. It states what pre-employment screening you perform, scoped to what local law allows, and how that scope varies by role sensitivity or region — without overclaiming universal background checks you do not run everywhere. It confirms that employees and relevant contractors accept an acceptable-use policy and confidentiality/IP agreement as a condition of access, and names when that happens. It describes security-awareness training with a cadence (for example, at onboarding and on a recurring interval), what it covers, and how completion is tracked and enforced. Critically, it describes off-boarding as a triggered, time-bound process: what event starts revocation, which access is removed, who is responsible, the target timeframe, and how completion is confirmed — including for federated and third-party systems. It should cover contractors and temporary staff explicitly. A strong answer is honest about coverage boundaries: if screening depth differs for contractors, or training completion is not yet fully enforced, saying so is more credible than a blanket claim. Every statement should map to an HR or IT record a reviewer could sample — a signed agreement, a training-completion export, an off-boarding checklist with timestamps.
Make it traceable
Bind each HRS claim to the record that evidences it. A screening claim points to the background-check policy plus a sample (redacted) confirmation for a role in scope. An agreements claim points to the AUP/NDA templates and the acceptance record showing staff signed. A training claim points to the completion report with dates and rates, not just the curriculum. An off-boarding claim points to the documented procedure and a sample completed off-boarding ticket showing access-removal timestamps. This is Promise–Proof for people controls: 'access is revoked on termination' resolves to a de-provisioning log entry a reviewer can inspect, and reconciles with the IAM access-review evidence. When a new hire class completes onboarding or a leaver is de-provisioned, the answer should draw from those live records so cadence and timeliness claims stay true rather than aspirational.
Answer patterns that hold up
- State screening scope tied to legality and role sensitivity (what is checked, where, for which roles) — not a blanket 'all employees are background-checked.'
- Confirm AUP and confidentiality/IP agreements are accepted as a condition of access, and name the point in onboarding where that occurs.
- Describe awareness training as onboarding + recurring cadence, with tracked, enforced completion — not 'employees receive security training.'
- Describe off-boarding as a triggered, time-bound revocation process (trigger, scope, owner, timeframe, confirmation), covering contractors and federated systems.
- Be explicit where coverage differs for contractors or where enforcement is still maturing, rather than claiming uniform coverage.
Evidence that backs the answer
Red flags reviewers catch
- 'Employees receive security training' with no cadence and no onboarding link.
- 'All staff undergo background checks' with no acknowledgment of legal or contractor exceptions.
- Off-boarding described as a goal ('access is removed when someone leaves') with no trigger, timeframe, or confirmation.
- Confidentiality obligations asserted but no signed agreement or acceptance record referenced.
- HRS off-boarding answer that does not reconcile with the IAM access-revocation answer elsewhere in the questionnaire.
Sources
- CSA Cloud Controls Matrix v4 (HRS domain)
- NIST SP 800-53 Rev. 5 (PS — Personnel Security; AT — Awareness and Training)
- ISO/IEC 27001:2022 — A.6.1 Screening, A.6.2 Terms and conditions of employment, A.6.3 Awareness, education & training, A.6.5 Responsibilities after termination
- AICPA SOC 2 Trust Services Criteria (Common Criteria — personnel)