Employees Onboarding Policy (Annex A.7)

Public version

Effective Date: 01 July 2025

Owner: HR Manager (HR)

Applies To: All employees, all new hires of Advntg.AI

ISO 27001 & SOC 2 Mapping

This policy supports compliance with the following standards and controls:

ISO 27001 Annex A Controls

  • A.7 – Human Resource Security: Ensuring security responsibilities are addressed before, during, and after employment.
  • A.9 – Access Control: Applying least privilege, authentication standards, and controlled account provisioning during onboarding.
  • A.12 – Operations Security: Enforcing endpoint security and secure asset issuance for new hires.
  • A.18 – Compliance: Ensuring adherence to legal, regulatory, and contractual requirements during the hiring process.

SOC 2 Trust Services Criteria

  • Security (CC1.x, CC6.x) – Implementing logical access controls and onboarding processes that protect systems and data.
  • Confidentiality (C1.x) – Ensuring new hires sign NDAs and understand their obligations to protect sensitive information.
  • Availability (A1.x) – Making sure employees have secure and appropriate access to systems to support operational availability without compromising security.

Table of Contents

1. Purpose

2. Scope

3. Pre-employment screening

4. Employment agreement and other documentation

5. Access Control

6. Security awareness training

7. Equipment and Company’s assets

8. Probation period review

9. Enforcement and Violations

Version

Date

Made By

Approved By

Comments

1.0

01 July 2025

HR

CEO

n/a

1. Purpose

The purpose of this Policy is to ensure that all new employees, contractors, and temporary staff are:

  • Properly vetted through pre-employment screening to confirm suitability and trustworthiness.
  • Trained in the Company’s security policies, procedures, and obligations.
  • Granted secure, role-appropriate access to Company resources in a controlled and compliant manner.

This Policy helps protect the confidentiality, integrity, and availability of Company information assets by embedding security requirements into the onboarding process from the first point of engagement.

2. Scope

This policy applies to all individuals who require access to Company systems, facilities, or information as part of their role, including:

  1. All new hires – permanent, temporary, and contract employees.
  2. Interns and apprentices – individuals engaged in training or work experience programs.
  3. Third-party personnel – consultants, agency staff, or vendor representatives requiring system or facility access during their engagement.

3. Pre-employment screening

All candidates must undergo a background screening process in accordance with applicable local laws and regulations.

The screening process may include:

  • Identity verification – confirming legal name, date of birth, and government-issued identification.
  • Employment history and reference checks – verifying previous roles, responsibilities, and references provided.
  • Criminal background checks – conducted where legally permitted and relevant to the role.

Screening results must be:

  • Documented in the candidate’s HR file.
  • Reviewed and approved by Human Resources before any onboarding activities or system access are initiated.

4. Employment agreement and other documentation

All employees must sign the following documents prior to being granted access to Company systems or data:

  1. Employment Agreement – outlining job responsibilities, terms of engagement, and conditions of employment.
  2. Confidentiality / Non-Disclosure Agreement (NDA) – legally binding the employee to protect Company information from unauthorized disclosure or misuse.
  3. Acceptable Use Policy (AUP) – confirming understanding and agreement to follow Company IT usage, security, and conduct requirements.

Signed documents must be retained in the employee’s personnel file in accordance with the Company’s records retention policy.

5. Access Control

5.1. All access rights for new employees must follow the principle of least privilege, granting only the minimum permissions required to perform assigned job duties.

5.2. Account Creation

User accounts are created only after:

  • Approval from the hiring manager.
  • Verification by Human Resources that all required onboarding steps have been completed.

5.3. Security Requirements

  • Multi-Factor Authentication (MFA) must be enabled on all applicable accounts from the first day of access.
  • Password standards defined in the Company’s Access Control Policy must be applied to all accounts at the time of creation.

6. Security awareness training

6.1. All new employees must complete security awareness training within their first five (5) business days of employment.

6.2. The training program must cover at minimum:

  • Company security policies – including acceptable use, access control, and data handling.
  • Incident reporting procedures – how and where to report suspected or confirmed security incidents.
  • Data protection requirements – safeguarding personal, client, and Company confidential data.
  • Phishing and social engineering prevention – recognizing and responding to common attack techniques.

6.3. Training Records

  • Completion must be documented and tracked by both Human Resources and the Cybersecurity Team.
  • Employees who do not complete training within the required timeframe may have access to systems restricted until completion.

7. Equipment and Company’s assets

7.1. All devices assigned to new employees must comply with the Company’s Endpoint Security Requirements, including:

  • Full-disk encryption.
  • Endpoint Detection and Response (EDR) solutions.
  • Firewall protection enabled and configured per policy.
  • Continuous security monitoring.

7.2. Asset Tracking

  • All assigned assets must be recorded in the IT Asset Inventory, including:
  • Device serial number.
  • Assigned user.
  • Date of issue.
  • The asset inventory must be kept up to date and regularly reconciled against physical assets.

8. Probation period review

8.1. During the probationary period, managers and Human Resources must jointly verify the following:

  • Job performance – confirmation that the employee is meeting role expectations.
  • Security policy compliance – adherence to Company security policies, procedures, and acceptable use requirements.
  • Access rights validation – review of assigned system and data access to ensure no excessive, unnecessary, or unused permissions remain.

8.2. Any non-compliance or excessive access identified must be remediated promptly in accordance with the Company’s Access Control Policy.

9. Enforcement and Violations

9.1. Employees who fail to complete required onboarding activities or who violate Company security policies may have their system and facility access suspended until compliance is achieved.

9.2. Severe or repeated violations may result in:

  • Termination of employment.
  • Legal action, where applicable.
  • Notification to regulatory authorities, if required by law or contractual obligation.

9.3. All violations will be reviewed in accordance with the Company’s disciplinary procedures and incident response process.

This Policy shall be reviewed and edited from time to time, subject to the HR’s approval.

For questions or reports regarding this Policy, contact:

hr@advntg.ai

* * *