Screening should take place prior to employment (or engagement with contractors) where verification of skills and identity should be undertaken. This should be undertaken with reference to local legislative requirements. This should also be considered as part of a promotion process where security roles are being considered. Candidates should be informed in advance of any screening process as required by legislation. None of this should come as a surprise to a well informed HR department. It will form the basis of an external audit and should form part of your internal audits too. The most common files external auditors want to see are for the management representative (Information Security Manager) and the CEO/MD. It always happens so don’t be surprised when it does! Procedures should outline criteria for acceptance and equally those permitted to carry out the screening.