Human Resource Security Policy

Document Number: ISMS-POL-HR-01

Classification: L1 — Policy (Domain)

Version: 0.1.1

Effective Date: February 18, 2026

Author: Lucas Shin — Security Director

Approved By: Richard — CISO

Next Review Date: February 2027

Parent Policy: Information Security Policy (ISMS-POL-ISP-01)

1. Purpose

This policy defines the human resource security requirements throughout the employment lifecycle — from hiring through to termination — to ensure that all personnel understand their security responsibilities and that organisational assets are protected when employment relationships change.

This policy addresses the people dimension of information security, complementing the technical controls defined in the BYOD Security Policy (ISMS-POL-BYOD-01) and M365 Workspace & Access Policy (ISMS-POL-M365-01).

2. Scope

2.1 Applicable Personnel

All employees of Cybercraft, regardless of role or licence tier
Contractors and temporary staff engaged by Cybercraft, including those enrolled through the BYOD Device Lifecycle Procedure
Directors and shareholders who access Cybercraft information assets (Jeff, Farah, Richard, Paul)

2.2 Employment Phases Covered

Pre-employment: Screening, verification, terms of engagement
During employment: Security awareness, ongoing obligations, consent management
Termination / Change of role: Offboarding, access revocation, asset return

2.3 Out of Scope

Level 3 Collaboration Partners (guest accounts) — covered under Supplier & Third-Party Security Policy (ISMS-POL-STP-01)
Technical access control configurations — covered under M365 Workspace & Access Policy (ISMS-POL-M365-01)

3. Pre-Employment Security

3.1 Screening and Verification

Check	Applicable To	Owner
Identity verification (government-issued ID)	All personnel	CEO / Hiring Manager
Reference check (previous employer)	All employees	CEO / Hiring Manager
Right to work verification	All personnel (NZ employment law)	CEO / Hiring Manager
Professional qualification verification	Technical / security roles	Security Director

Proportionality note: As a 3–5 person SMB, Cybercraft conducts proportionate screening. Police vetting or financial background checks are not required unless a role involves access to client audit data or financial systems, in which case the CISO must approve the scope.

3.2 Terms of Engagement

Prior to granting access to any Cybercraft information assets, all personnel must sign:

Document	Purpose	Renewal
Employment Contract / Engagement Agreement	Defines role, responsibilities, and security obligations	On role change
Non-Disclosure Agreement (NDA)	Protects confidential and client information from unauthorised disclosure	On engagement + annually
Acceptable Use Policy Acknowledgment	Confirms understanding of permitted and prohibited use of Cybercraft systems	Annually

4. Security Obligations During Employment

4.1 BYOD User Consent and Acknowledgment

Derived from BYOD Security Policy (ISMS-POL-BYOD-01) Section 5.3:

All BYOD users must sign the BYOD User Consent Form prior to device enrollment
The consent form covers:
Consent must be renewed annually or upon significant policy change
Refusal to sign the consent form results in denial of BYOD access; alternative arrangements must be discussed with the Security Director

4.2 Employee Security Responsibilities

Derived from BYOD Security Policy (ISMS-POL-BYOD-01) Section 4:

All personnel are required to:

Comply with all applicable security policies and procedures
Report suspected security incidents to the Security Director within 24 hours
Maintain device OS and application updates (BYOD users: submit weekly Updatest evidence)
Protect credentials — never share passwords or MFA devices with any third party
Preserve data classification boundaries — Confidential data must remain in Private Channels

4.3 Security Awareness

Activity	Frequency	Audience	Owner
Security policy briefing (onboarding)	On joining	All new personnel	Security Director
Annual security awareness refresher	Annually	All personnel	Security Director
Policy change notification	Ad-hoc	Affected personnel	Security Director
Incident lessons learned briefing	Post-incident	All personnel	Security Director

Proportionality note: For a 3–5 person SMB, security awareness is delivered through direct briefings and Teams communications rather than formal LMS-based training. This is documented via meeting notes and acknowledgment records.

4.4 Contractor and Temporary Staff Requirements

Derived from BYOD Security Policy (ISMS-POL-BYOD-01) Section 2.2:

Contractors may only access Cybercraft systems if enrolled through the Device Lifecycle Procedure (BYOD-PROC-01)
Contractors must sign the NDA and Acceptable Use Acknowledgment before receiving any Cybercraft credentials
Contractor access is reviewed at each engagement renewal and upon project completion
Contractors are classified as Level 2 — Trusted Guest under the M365 trust model and are subject to corresponding access restrictions

5. Termination and Change of Role

5.1 Offboarding Process

Cross-references: BYOD Device Lifecycle Procedure (BYOD-PROC-01) Section 5

Step	Action	Owner	Timeline
1	Manager/CEO notifies Security Director of personnel departure	CEO / Manager	Minimum 1 business day before last day
2	Security Director initiates selective wipe on BYOD device (work data only)	Lucas	Employee's last working day
3	Disable Entra ID account (blocks all M365/SaaS access)	Lucas	Employee's last working day
4	Remove device from Intune inventory	Lucas	Within 24 hours of last day
5	Revoke M365 licence assignment	Lucas	Within 7 days
6	Remove from all Teams teams/channels	Lucas	Within 24 hours of last day
7	Remind departing personnel of ongoing NDA obligations	CEO / Security Director	Last working day
8	Document offboarding completion in offboarding checklist	Lucas	Within 72 hours

5.2 Change of Role

When personnel change roles within Cybercraft:

Security Director reviews and adjusts Teams membership, channel access, and licence tier as appropriate
If the new role requires a different licence tier (e.g., Standard → Premium), the licence is reassigned and BYOD enrollment updated
Access to previous role's Private Channels is revoked unless explicitly justified and approved by the CISO

6. Roles and Responsibilities

Role	Person	Responsibilities
CEO	Farah	Executive sponsor, final authority on hiring decisions, resource allocation, NDA enforcement
CISO	Richard	Policy approval, exception approval for enhanced screening, annual management review
Security Director	Lucas	Policy maintenance, onboarding/offboarding execution, security awareness delivery, consent management, access provisioning/deprovisioning
All Personnel	All staff	Comply with security policies, report incidents, complete awareness activities, sign required documents

7. Compliance Mapping

ISO 27001 Control	Requirement	Covered By
A.6.1	Screening	Section 3.1 (Pre-employment screening)
A.6.2	Terms and conditions of employment	Section 3.2 (Terms of engagement) + Section 4.1 (BYOD consent)
A.6.3	Information security awareness, education and training	Section 4.3 (Security awareness)
A.6.4	Disciplinary process	Section 4.2 (Employee responsibilities — non-compliance consequences per master policy)
A.6.5	Responsibilities after termination or change of employment	Section 5 (Termination and change of role) + NDA obligations
A.6.6	Confidentiality or non-disclosure agreements	Section 3.2 (NDA requirement)

8. Document Control

Version	Date	Author	Changes
0.1.0	2026-02-18	Lucas Shin	Initial release — incorporates HR-related controls from BYOD Security Policy and establishes full employment lifecycle security framework.
0.1.1	2026-02-20	Lucas Shin	L2 policy reordering (renumbered). Updated all cross-reference document numbers to reflect new P-numbering scheme.

Review Schedule

Annually: Full policy review, NDA renewal cycle, awareness programme effectiveness assessment
On personnel change: Onboarding/offboarding checklist execution and verification
Ad-hoc: Upon significant organisational changes, regulatory updates, or post-incident lessons learned

[End of Policy Document]