Secure staffing and security awareness

Introduction

We ensure information security and privacy during onboarding, employment, and offboarding processes. In addition, attention is given to security awareness and training, so that employees are informed about information security and the handling of privacy-sensitive data.

Detailed explanation

Recruitment and selection (security aspects)

During recruitment and selection, information security-related checks are performed. This includes verification of the candidate’s identity, assessment of the profile based on work experience, CV and certificates, and evaluation of knowledge relevant to the role. Consideration is also given to the candidate’s attitude toward information security and secure development practices.

If a candidate is selected, relevant information is stored in HR files. If a candidate is not selected, the information is stored in accordance with the applicable retention period, unless the candidate requests otherwise. When recruitment is outsourced, the recruitment party is responsible for compliance with applicable laws and regulations.

Screening, contracting, and starting conditions

Prior to employment, a recent certificate of good conduct is required. An employment contract (or freelance agreement) is concluded and includes provisions such as non-disclosure, intellectual property rights, and use of company assets.

Employees and freelancers sign internal information security and privacy guidelines. Onboarding is supported by a checklist to ensure that all required steps are carried out and documented.

Onboarding and changes during employment

Procedures are in place to manage onboarding and employment-related activities. Onboarding and offboarding are supported by checklists to ensure that required steps are completed and recorded.

During employment, employees can follow training and courses to maintain required competencies for their role. Security and privacy awareness is addressed during team meetings and periodic performance reviews.

Management ensures that employees are familiar with ISMS documentation (policies, procedures) and that work is carried out in accordance with these guidelines. Relevant information such as training records, learning plans, and review cycles is stored in HR files.

Awareness and training

Employees can follow training courses to maintain professional competence and job requirements. Security awareness is increased through:

• periodic awareness training sessions (e.g. during staff meetings)

• attention to information security and privacy during regular meetings

Training needs are determined by management. Participation in training is recorded in HR files. The effectiveness of training is assessed during evaluation interviews and at an organizational level during the annual management review.

Offboarding

A structured offboarding process is in place, supported by a checklist. This ensures that all required steps are completed and recorded, including:

• returning keys, access codes, and company property

• disabling authorizations

• signing a declaration that confidential company information has been removed from personal devices

This process starts when termination of the contract is announced and is executed under responsibility of management, with support from office management.