Skip to main content
Employee Background Checks in ISO 27799

Employee Background Checks in ISO 27799

$349.00
Who trusts this:
Trusted by professionals in 160+ countries
How you learn:
Self-paced • Lifetime updates
Your guarantee:
30-day money-back guarantee — no questions asked
When you get access:
Course access is prepared after purchase and delivered via email
Toolkit Included:
Includes a practical, ready-to-use toolkit containing implementation templates, worksheets, checklists, and decision-support materials used to accelerate real-world application and reduce setup time.
Adding to cart… The item has been added

This curriculum spans the design and operational management of background check programs in healthcare organizations, comparable in scope to a multi-phase advisory engagement aligning HR, legal, and IT security functions with ISO 27799 and regulatory requirements.

Module 1: Aligning Background Check Policies with ISO 27799 Controls

  • Determine which roles require background checks based on access to PHI and system privileges, per ISO 27799 A.7.2.1.
  • Map background screening scope to specific security responsibilities defined in role-based access control frameworks.
  • Integrate pre-employment screening requirements into the organization’s information security policy documentation.
  • Define exceptions for interim hires and contractors, ensuring compensating controls are documented and approved.
  • Coordinate with legal counsel to ensure screening criteria comply with HIPAA and jurisdictional privacy laws.
  • Establish review cycles for background check policy alignment with updated ISO 27799 editions.
  • Document risk acceptance decisions for roles deemed low-risk without screening.
  • Ensure third-party HR systems used for screening are evaluated for data protection compliance.

Module 2: Legal and Regulatory Compliance in Healthcare Screening

  • Verify that background check consent forms meet FCRA requirements when using U.S.-based screening vendors.
  • Assess international hiring implications, including GDPR restrictions on criminal record processing in EU countries.
  • Implement data minimization practices by limiting the collection of non-relevant personal history.
  • Establish procedures for adverse action notifications in compliance with pre-adverse and adverse action workflows.
  • Train HR staff on handling candidate disputes related to inaccurate background data.
  • Conduct periodic audits of screening records to ensure retention periods align with legal mandates.
  • Negotiate data processing agreements (DPAs) with screening vendors handling PHI or personally identifiable information (PII).
  • Document jurisdiction-specific restrictions on using credit history or arrest records in employment decisions.

Module 3: Risk-Based Screening Tiers for Healthcare Roles

  • Classify roles into high, medium, and low risk based on access to electronic health records and administrative privileges.
  • Require enhanced screening (e.g., global criminal searches, credential verification) for clinical IT administrators.
  • Limit screening scope for non-clinical, non-technical staff to national criminal and employment verification only.
  • Define escalation paths for roles with hybrid responsibilities, such as clinical informaticists.
  • Update risk tier assignments during organizational changes, such as system migrations or new service lines.
  • Validate that contractors and temporary staff undergo equivalent screening based on role classification.
  • Document justification for deviations from standard screening based on operational urgency.
  • Integrate risk tier definitions into onboarding checklists used by HR and IT provisioning teams.

Module 4: Vendor Selection and Management for Screening Services

  • Evaluate screening vendors based on HITRUST CSF certification or SOC 2 Type II reports.
  • Assess geographic coverage capabilities for multinational healthcare systems with offshore staff.
  • Compare turnaround times for critical checks like credential verification against SLAs.
  • Conduct due diligence on sub-processors used by the vendor for international criminal database access.
  • Implement breach notification requirements in vendor contracts for data exposure incidents.
  • Perform annual vendor risk assessments focusing on data encryption and access controls.
  • Define data ownership clauses ensuring the healthcare organization retains control over screening records.
  • Establish procedures for transitioning screening operations to a new vendor without service gaps.

Module 5: Integration with Identity and Access Management (IAM)

  • Configure IAM workflows to block system access provisioning until background check clearance is confirmed.
  • Synchronize background check status with HRIS fields used for automated access provisioning.
  • Implement manual override mechanisms with audit logging for emergency access scenarios.
  • Define reconciliation processes for employees whose checks fail post-provisioning.
  • Integrate background check expiration alerts for roles requiring periodic re-screening.
  • Map screening outcomes to attribute-based access control (ABAC) policies where applicable.
  • Ensure audit logs capture who approved exceptions to screening requirements.
  • Test IAM integrations during system upgrades to prevent access control gaps.

Module 6: Handling Adverse Findings and Due Process

  • Develop standardized review criteria for evaluating criminal convictions in relation to job duties.
  • Establish a multi-disciplinary review board including legal, HR, and compliance representatives.
  • Implement a hold process that suspends onboarding without revoking offers prematurely.
  • Train reviewers on EEOC enforcement guidance regarding criminal history usage.
  • Document rationale for each final employment decision involving adverse findings.
  • Ensure candidates have access to their screening reports and an opportunity to dispute inaccuracies.
  • Define retention periods for adverse action records separate from general personnel files.
  • Conduct periodic equity audits to detect potential disparate impact across demographic groups.

Module 7: Ongoing Monitoring and Re-Screening Strategies

  • Define re-screening intervals for high-risk roles based on organizational risk appetite and regulatory requirements.
  • Implement continuous criminal monitoring services for roles with elevated access privileges.
  • Balance monitoring frequency against employee privacy expectations and operational cost.
  • Integrate license verification systems for clinical staff into ongoing screening workflows.
  • Establish alert mechanisms for credential revocation or disciplinary actions reported by licensing boards.
  • Define procedures for revoking access when re-screening reveals disqualifying findings.
  • Communicate re-screening requirements during annual compliance training to maintain transparency.
  • Assess feasibility of automated consent renewal for continuous monitoring programs.

Module 8: Data Privacy and Security in Background Check Processing

  • Encrypt background check data both in transit and at rest within HR and vendor systems.
  • Restrict access to screening results to authorized HR and compliance personnel only.
  • Implement role-based access controls in applicant tracking systems to prevent unauthorized viewing.
  • Conduct privacy impact assessments (PIAs) before introducing new screening data types.
  • Define secure disposal procedures for physical and digital screening records post-retention.
  • Monitor for unauthorized access attempts to background check databases using SIEM tools.
  • Ensure screening vendors comply with the organization’s data classification policies.
  • Apply masking techniques to sensitive fields in test and development environments.

Module 9: Audit Readiness and Documentation Practices

  • Maintain a centralized repository for background check policies, forms, and vendor contracts.
  • Generate audit trails showing completion status of checks for all active employees in scope roles.
  • Prepare evidence of periodic policy reviews and updates aligned with ISO 27799 revisions.
  • Document risk-based exceptions to screening requirements with executive approvals.
  • Archive adverse action files separately with restricted access for compliance auditors.
  • Validate that third-party auditors can access screening records without exposing unrelated PII.
  • Conduct internal mock audits to test completeness and accuracy of screening documentation.
  • Map controls to specific ISO 27799 clauses for external auditor reference.

Module 10: Cross-Functional Governance and Stakeholder Alignment

  • Establish a governance committee with representatives from HR, IT security, legal, and clinical operations.
  • Define RACI matrices for ownership of screening policy, execution, and monitoring tasks.
  • Coordinate with the privacy office to ensure alignment with enterprise privacy programs.
  • Integrate background check metrics into security risk dashboards for executive review.
  • Resolve conflicts between operational urgency and screening compliance through predefined escalation paths.
  • Conduct annual tabletop exercises simulating breaches involving screening data.
  • Align background check practices with enterprise risk management (ERM) reporting cycles.
  • Facilitate joint training sessions for HR and IT staff on policy interpretation and tool usage.
!