SW
Swedwise
[User Login]
โ† Back to IMS Documents
DraftInternalISO 27001

SW-ISMS-POL-006

HR Security Policy

Version

1.0

Owner

CISO

Effective Date

TBD

Review Date

TBD

HR Security Policy

1. Purpose

This policy establishes security requirements for the complete employment lifecycle at Swedwise AB, from recruitment through termination. It ensures that personnel understand their security responsibilities, are appropriately screened, and that security considerations are integrated into HR processes.

This policy supports ISO 27001:2022 Annex A controls 6.1-6.8 (People controls) and protects Swedwise and customer information assets throughout the employee/contractor lifecycle.

2. Scope

This policy applies to:

Personnel Scope

  • All employees (full-time, part-time, temporary)
  • Contractors and consultants
  • Interns and trainees
  • Board members with access to Swedwise systems or information
  • Third-party personnel working on behalf of Swedwise

Lifecycle Coverage

  • Pre-employment screening and selection
  • Onboarding and induction
  • Ongoing employment terms and conditions
  • Changes in role or access requirements
  • Termination or change of employment
  • Post-employment obligations

Location Coverage

  • All Swedwise offices (Karlstad HQ, Stockholm, Uddevalla)
  • Remote workers
  • Consultants at customer sites
  • Temporary or mobile work locations

3. Pre-Employment Screening

3.1 Background Verification

All candidates for employment or contractor engagement undergo screening appropriate to the role, including:

Standard Screening (All Roles):

  • Identity verification (valid government-issued ID)
  • Right to work verification (employment eligibility)
  • Employment history verification (minimum 3 years or since last education)
  • Educational qualification verification (for roles requiring specific degrees/certifications)
  • Professional reference checks (minimum 2 references)
  • Gap analysis in employment history (explanations for gaps >3 months)

Enhanced Screening (Sensitive Roles):

For roles with elevated security responsibilities (e.g., SaaS operations, CISO, system administrators, roles with access to customer confidential data), additional checks may include:

  • Criminal background check (where legally permissible and proportionate)
  • Credit check (for financially sensitive roles, with consent)
  • Professional certification verification
  • Previous employer security clearance verification (if applicable)

Contractor Screening:

  • Standard screening applies to long-term contractors (>3 months engagement)
  • Abbreviated verification for short-term contractors through reputable agencies
  • Contractor company verification (business registration, insurance, references)

3.2 Screening Documentation

  • All screening results are documented and retained in accordance with data protection requirements
  • Screening must be completed before access to Swedwise systems or confidential information is granted
  • Adverse findings are reviewed by HR and hiring manager; CISO consulted for security-sensitive roles
  • Candidates are informed of screening requirements and consent obtained where required by law

All background screening complies with:

  • Swedish Employment Protection Act (Lagen om anstรคllningsskydd - LAS)
  • GDPR and Swedish data protection legislation
  • Discrimination laws and ethical hiring practices
  • Industry-specific regulations where applicable

Screening is proportionate to the role's security sensitivity and business need.

4. Terms and Conditions of Employment

4.1 Security Responsibilities in Employment Agreements

All employment contracts and contractor agreements include:

Confidentiality Obligations:

  • Duty to protect Swedwise confidential and proprietary information
  • Prohibition on unauthorized disclosure during and after employment
  • Specific obligations regarding customer data and intellectual property
  • Duration of confidentiality obligations (typically perpetual for trade secrets)

Acceptable Use:

  • Acknowledgment of acceptable use policies for IT systems and information
  • Prohibition on personal use of company resources except as permitted
  • Restrictions on installation of software or unauthorized system modifications

Security Compliance:

  • Requirement to comply with all information security policies and procedures
  • Obligation to report security incidents and suspected violations
  • Participation in mandatory security training and awareness programs
  • Acceptance of monitoring and audit of system usage

Intellectual Property:

  • Work product and inventions developed during employment belong to Swedwise
  • Obligation to return all company property upon termination
  • Non-compete and non-solicitation provisions (where legally enforceable)

Disciplinary Provisions:

  • Consequences for security policy violations
  • Right of Swedwise to investigate security incidents
  • Termination provisions for serious security breaches

4.2 Non-Disclosure Agreements (NDAs)

Additional NDAs may be required for:

  • Specific customer engagements with heightened confidentiality
  • Access to particularly sensitive Swedwise information (e.g., M&A, strategic plans)
  • Third-party personnel not directly employed by Swedwise
  • Roles with access to trade secrets or proprietary technology

4.3 Code of Conduct

All personnel acknowledge and agree to follow Swedwise's Code of Conduct, which includes:

  • Ethical behavior and integrity expectations
  • Respect and professionalism in all interactions
  • Prohibition on conflicts of interest
  • Compliance with laws and regulations
  • Reporting of unethical or illegal behavior

5. Security Awareness and Training

5.1 Onboarding Security Training

All new employees and contractors complete mandatory security awareness training within their first week, covering:

Core Topics:

  • Information security policy overview and responsibilities
  • Information classification and handling requirements
  • Password security and authentication best practices
  • Phishing and social engineering awareness
  • Physical security and clean desk practices
  • Incident reporting procedures
  • Acceptable use of IT systems
  • Data protection and privacy basics (GDPR awareness)

Format:

  • Combination of online modules and in-person orientation
  • Completion verified and recorded in HR system
  • Assessment to verify understanding (minimum 80% passing score)
  • Certificate of completion retained in personnel file

5.2 Ongoing Awareness

Annual Refresher Training:

  • All staff complete annual security awareness refresher (minimum 30-45 minutes)
  • Content updated to reflect current threats and organizational changes
  • Completion tracked and reported to management

Role-Specific Training:

  • System administrators, developers, SaaS operations: Advanced security training
  • Customer-facing roles: Customer data handling and confidentiality
  • Managers: Security responsibilities for their teams
  • CISO, Quality Lead, Environmental Lead: Specialist IMS training

Awareness Communications:

  • Regular security tips and reminders via email, intranet, team meetings
  • Simulated phishing exercises (minimum quarterly)
  • Security topic of the month program
  • Lessons learned from incidents shared organization-wide

5.3 Training Records

  • All security training completion is documented and retained for [TBD - e.g., 3 years] minimum
  • Training status monitored and reported to management quarterly
  • Non-completion escalated to line managers and may affect access privileges

6. During Employment

6.1 Access Control and Least Privilege

  • Access to information and systems is granted based on job role requirements
  • The principle of least privilege applies: minimum necessary access only
  • Access requests are approved by line manager and system owner
  • Access rights reviewed annually or when role changes
  • Privileged access (admin rights) requires additional approval and justification

See SW-ISMS-POL-004 Access Control Policy for detailed requirements.

6.2 Monitoring and Acceptable Use

  • Personnel acknowledge that their use of Swedwise systems may be monitored
  • Monitoring is conducted in accordance with Swedish labor law and privacy requirements
  • Personal use of systems is limited and subject to acceptable use policy
  • Violations of acceptable use may result in disciplinary action

See SW-ISMS-POL-002 Acceptable Use Policy for detailed requirements.

6.3 Changes in Employment

When personnel change roles, locations, or responsibilities:

Access Reviews:

  • Access rights reviewed and adjusted to match new role
  • Access from previous role removed if no longer required
  • Re-screening may be required if new role has higher security sensitivity

New Agreements:

  • Updated employment contracts or addenda if responsibilities significantly change
  • Additional NDAs if access to new confidential areas granted
  • Re-acknowledgment of policies if substantial policy updates occurred

Training:

  • Additional training provided for new security responsibilities
  • Refresher training if moving to higher security sensitivity role

6.4 Departures and Extended Absences

Long-term Leave (>1 month):

  • Access rights may be suspended during extended absence (with HR and manager approval)
  • Equipment returned to office or secured appropriately
  • Re-activation procedures defined for return to work

Sabbaticals/Unpaid Leave:

  • Access typically suspended
  • Equipment returned
  • Confidentiality obligations remain in force

7. Termination or Change of Employment

7.1 Termination Process

Termination of employment (voluntary resignation, dismissal, retirement, end of contract) triggers immediate security procedures:

Access Revocation:

  • System access disabled on effective termination date (or immediately for involuntary terminations with cause)
  • Accounts deactivated (not deleted) to preserve audit trails
  • Remote access (VPN, email, cloud services) revoked immediately
  • Physical access cards/keys disabled
  • Access to customer systems coordinated with customer security teams

Asset Return:

  • All company property returned before final departure:
    • Laptops, mobile devices, tablets
    • Access cards, keys, security tokens
    • Company credit cards
    • Documents (paper and electronic media)
    • Any other equipment or materials
  • IT department verifies return and data removal from personal devices (BYOD)
  • Unreturned assets reported and may be invoiced to departing employee

Data Removal:

  • Personal data removed from company systems (BYOD devices)
  • Company data deleted from personal devices (verification may be required)
  • Departing employee certifies they have not retained unauthorized copies of Swedwise or customer information

7.2 Exit Interview and Reminders

Exit Interview:

  • HR conducts exit interview covering security obligations
  • Departing employee reminded of:
    • Ongoing confidentiality obligations
    • Prohibition on unauthorized use or disclosure of information
    • Return of all company property
    • Non-compete and non-solicitation obligations (if applicable)
    • Contact for questions about post-employment obligations

Departure Checklist:

  • Standardized checklist ensures all security steps completed
  • Signed by departing employee, line manager, HR, and IT
  • Retained in personnel file

7.3 Post-Employment Obligations

Confidentiality:

  • Confidentiality obligations continue after termination (perpetual for trade secrets)
  • Prohibition on using Swedwise confidential information for new employer's benefit
  • Prohibition on soliciting Swedwise customers or employees (time-limited per contract)

Intellectual Property:

  • Work product created during employment remains Swedwise property
  • Obligation to assign any related inventions or IP that arise post-employment (if related to work performed)

Enforcement:

  • Swedwise reserves right to enforce post-employment obligations
  • Violations may result in legal action

7.4 Involuntary Termination for Cause

When termination is involuntary and related to security violations or misconduct:

Immediate Actions:

  • Access revoked immediately (may occur before employee notification)
  • Supervised exit from premises
  • Remote wipe of mobile devices if not returned
  • Investigation findings documented
  • Law enforcement notification if criminal activity suspected

Customer Notification:

  • Customers notified if terminated employee had access to their systems or data
  • Coordination with customer security teams for access revocation
  • Incident reporting if security breach involved

8. Contractors and Third-Party Personnel

8.1 Contractor Agreements

Contractors and third-party personnel with access to Swedwise information or systems are subject to:

  • Contractual security obligations equivalent to employees
  • Background screening appropriate to role and access
  • Security awareness training before access granted
  • Monitoring and compliance verification
  • Termination procedures when engagement ends

8.2 Contractor Management

  • Contractor security requirements included in procurement contracts
  • Line manager responsible for contractor compliance
  • Access limited to contract duration and scope
  • Periodic review of contractor access (minimum annually)
  • Termination procedures mirror employee process

8.3 Third-Party Personnel at Customer Sites

Swedwise consultants working at customer sites must:

  • Comply with customer security policies and procedures
  • Maintain Swedwise baseline security standards
  • Report any conflicts between Swedwise and customer requirements to line manager
  • Protect Swedwise confidential information while at customer locations
  • Separate customer data from Swedwise data appropriately

9. Disciplinary Process

9.1 Policy Violations

Violations of this or related security policies are addressed through progressive discipline:

Minor Violations (First Occurrence):

  • Verbal warning and coaching
  • Retraining on relevant policy area
  • Documented in personnel file
  • Monitoring of compliance improvement

Repeat or Moderate Violations:

  • Written warning
  • Mandatory retraining and assessment
  • Temporary access restrictions if appropriate
  • Performance improvement plan
  • Documented and retained in personnel file

Serious or Intentional Violations:

  • Immediate access suspension pending investigation
  • Formal investigation by HR and CISO
  • Possible termination of employment
  • Legal action if warranted (civil or criminal)
  • Customer and authority notification if required

9.2 Investigation Process

Security incidents involving personnel follow documented investigation procedures:

  • Prompt, fair, and confidential investigation
  • Personnel rights respected (legal counsel, union representation where applicable)
  • Evidence preserved and documented
  • Findings documented with recommendations
  • Consistent application of disciplinary standards

9.3 Whistleblower Protection

  • Personnel reporting security violations in good faith are protected from retaliation
  • Anonymous reporting channels available
  • Reports investigated promptly and confidentially
  • Protection aligned with Swedish whistleblower legislation

10. Roles and Responsibilities

HR Manager

Assigned to: [TBD - name]

Responsibilities:

  • Coordinate pre-employment screening processes
  • Ensure security terms included in employment contracts
  • Maintain personnel security records
  • Coordinate security training tracking
  • Conduct exit interviews and termination processes
  • Advise on employment law compliance
  • Partner with CISO on security HR matters

CISO

Assigned to: [TBD - name]

Responsibilities:

  • Define security requirements for roles and screening
  • Approve enhanced screening for sensitive positions
  • Develop and maintain security awareness training content
  • Investigate security incidents involving personnel
  • Provide input on disciplinary actions for security violations
  • Monitor compliance with HR security policy
  • Report HR security metrics to management

Line Managers

Responsibilities:

  • Verify security training completion for their staff
  • Request appropriate access rights (least privilege)
  • Review staff access rights annually
  • Report suspected security violations
  • Support disciplinary processes
  • Conduct departing employee handoff and asset return verification
  • Ensure contractor compliance with security requirements

All Personnel

Responsibilities:

  • Cooperate with background screening processes
  • Complete mandatory security training on time
  • Comply with all security policies and procedures
  • Report security incidents and violations
  • Protect confidential information during and after employment
  • Return all company property upon termination
  • Honor post-employment confidentiality and non-compete obligations

11. Records and Documentation

The following records are maintained:

Personnel Security Records:

  • Background screening results ([TBD - retention period per local law])
  • Security training completion records (minimum 3 years)
  • Security acknowledgment forms (duration of employment + [TBD - e.g., 2 years])
  • Access grant/revocation logs (minimum 12 months, or per audit requirement)
  • Exit interview checklists (minimum 3 years)
  • Disciplinary actions related to security (duration of employment + [TBD - e.g., 5 years])

Record Protection:

  • Personnel security records classified as Confidential
  • Access limited to HR, CISO, and authorized management
  • Stored securely with access controls and encryption
  • Retention and disposal per data protection requirements

This policy complies with:

  • GDPR: Background screening, training records, and monitoring comply with data protection principles
  • Swedish Labor Law: Employment terms, disciplinary process, and monitoring respect worker rights
  • Discrimination Laws: Screening and hiring practices are non-discriminatory
  • Whistleblower Protections: Reporting channels and protections align with EU and Swedish legislation
  • ISO 27001:2022: Annex A 6.1-6.8 people controls implemented

13. Review and Update

This policy is:

  • Reviewed annually by CISO in coordination with HR Manager
  • Updated when significant changes occur in:
    • Organizational structure or roles
    • Legal or regulatory requirements (employment law, data protection)
    • Threat landscape or security incidents involving personnel
    • ISO 27001 requirements
  • Approved by [TBD - CEO/Management Team]
  • Communicated to all staff following updates

Policies:

Procedures:

Forms and Templates:

  • [TBD - Security Awareness Training Certificate]
  • [TBD - Employee Security Acknowledgment Form]
  • [TBD - Exit Interview Checklist]
  • [TBD - Access Request Form]
  • [TBD - Contractor Security Agreement Template]

Supporting Documents:

  • [TBD - Code of Conduct]
  • [TBD - Security Awareness Training Materials]

15. Document Control

Version Date Author Changes Approved By
1.0 [TBD] [TBD - CISO name] Initial policy creation [TBD - CEO name]

Next Review Date: [TBD - typically 12 months from effective date]

Document Classification: Internal

Document Owner: CISO

This policy is approved by Swedwise AB management and is effective from the date specified above. All staff are required to read, understand, and comply with this policy.

Related Documents