Approaches to ISO 27001 Annex A 6.1 Screening: Practices and Audit Insights from Different Organizations

Hey everyone, I'm currently reviewing approaches to ISO 27001 Annex A 6.1 screening and it’s interesting to see how differently organisations interpret the ongoing/periodic aspect of people screening. I’ve seen some organisations take a broad approach across all employees, while others seem to align it more closely to role sensitivity, access levels, or overall risk exposure. There also appears to be quite a bit of variation in how these expectations are documented internally, whether through contracts, onboarding processes, policies, or elsewhere. I would be interested to hear how others have approached this in practice, particularly what has worked well operationally and during audits.