Skip to main content

HRS-01: Human Resources Security Management

HRS 10 — Critical Govern

Mechanisms exist to facilitate the implementation of personnel security controls.

Control Question: Does the organization facilitate the implementation of personnel security controls?

General (54)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC1.1 CC1.1-POF1 CC1.1-POF3 CC1.2-POF1 CC1.2-POF2 CC1.2-POF3 CC1.2-POF4 CC1.3-POF6 CC1.4 CC1.4-POF1 CC1.4-POF2 CC1.4-POF3 CC1.5-POF2 CC1.5-POF3 CC1.5-POF4 CC1.5-POF5 CC2.2-POF3 CC2.3-POF4 CC3.3-POF1 CC3.3-POF2 CC3.3-POF3 CC3.3-POF4 CC3.3-POF5
BSI Standard 200-1 6
COBIT 2019 APO07.01 APO07.04 APO07.05 APO07.06
COSO 2017 Principle 1 Principle 4 Principle 5
CSA CCM 4 HRS-01 HRS-02 HRS-03 HRS-04
ENISA 2.0 SO7 SO8
GovRAMP Low PS-01
GovRAMP Low+ PS-01
GovRAMP Moderate PS-01
GovRAMP High PS-01
ISO/SAE 21434 2021 RQ-05-06
ISO 22301 2019 8.4.2.1
ISO 27001 2022 (source) 7.3 7.3(a) 7.3(b) 7.3(c) 7.2(d)
ISO 27002 2022 5.4
ISO 27701 2025 7.2
ISO 42001 2023 7.2
MPA Content Security Program 5.1 OR-3.0 PS-2.0
NAIC Insurance Data Security Model Law (MDL-668) 4.C(4)(a)
NIST AI 100-1 (AI RMF) 1.0 GOVERN 4.1
NIST Privacy Framework 1.0 PR.PO-P9
NIST 800-53 R4 PS-1
NIST 800-53 R4 (low) PS-1
NIST 800-53 R4 (moderate) PS-1
NIST 800-53 R4 (high) PS-1
NIST 800-53 R5 (source) PS-1
NIST 800-53B R5 (low) (source) PS-1
NIST 800-53B R5 (moderate) (source) PS-1
NIST 800-53B R5 (high) (source) PS-1
NIST 800-82 R3 LOW OT Overlay PS-1
NIST 800-82 R3 MODERATE OT Overlay PS-1
NIST 800-82 R3 HIGH OT Overlay PS-1
NIST 800-160 3.2.4
NIST 800-161 R1 PS-1
NIST 800-161 R1 C-SCRM Baseline PS-1
NIST 800-161 R1 Flow Down PS-1
NIST 800-161 R1 Level 1 PS-1
NIST 800-161 R1 Level 2 PS-1
NIST 800-161 R1 Level 3 PS-1
NIST 800-171 R2 (source) 3.1.22 NFO-PS-1
NIST 800-171A (source) 3.2.2[a] 3.2.2[b] 3.2.2[c] 3.9.2[a]
NIST 800-171 R3 (source) 03.01.01.g.02 03.15.03.a 03.15.03.d
NIST 800-171A R3 (source) A.03.01.01.ODP[01] A.03.01.01.ODP[02] A.03.01.01.ODP[03] A.03.01.01.ODP[04]
NIST 800-218 PO.2.1
NIST CSF 2.0 (source) GV.RR-04 ID.AM
PCI DSS 4.0.1 (source) 12.2 12.2.1 12.7 12.7.1
PCI DSS 4.0.1 SAQ C (source) 12.2.1
PCI DSS 4.0.1 SAQ D Merchant (source) 12.2.1 12.7.1
PCI DSS 4.0.1 SAQ D Service Provider (source) 12.2.1 12.7.1
SWIFT CSF 2023 5.1 5.3A
TISAX ISA 6 8.2.5
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) HRS-01
SCF CORE ESP Level 1 Foundational HRS-01
SCF CORE ESP Level 2 Critical Infrastructure HRS-01
SCF CORE ESP Level 3 Advanced Threats HRS-01
US (35)
Framework Mapping Values
US CERT RMM 1.2 HRM:SG3.SP4
US CMMC 2.0 Level 1 (source) AC.L1-B.1.IV
US CMMC 2.0 Level 2 (source) AC.L2-3.1.22
US CMMC 2.0 Level 3 (source) AC.L2-3.1.22
US CMS MARS-E 2.0 PS-1
US Data Privacy Framework (DPF) III.9.b.iii
US DHS CISA TIC 3.0 3.UNI.UATRA
US FAR 52.204-21 52.204-21(b)(1)(iv)
US FCA CRM 609.930(b)(3) 609.930(c)(4)
US FedRAMP R4 PS-1
US FedRAMP R4 (low) PS-1
US FedRAMP R4 (moderate) PS-1
US FedRAMP R4 (high) PS-1
US FedRAMP R4 (LI-SaaS) PS-1
US FedRAMP R5 (source) PS-1
US FedRAMP R5 (low) (source) PS-1
US FedRAMP R5 (moderate) (source) PS-1
US FedRAMP R5 (high) (source) PS-1
US FedRAMP R5 (LI-SaaS) (source) PS-1
US FFIEC D1.R.St.E.4
US FIPPS 2
US GLBA CFR 314 2023 (source) 314.4(e)(2)
US HHS 45 CFR 155.260 155.260(c)
US HIPAA Administrative Simplification 2013 (source) 164.308(a)(3)(ii)(A) 164.312(d) 164.530(e)(2)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.308(a)(3)(ii)(A) 164.312(d)
US HIPAA HICP Small Practice 3.S.A
US IRS 1075 PS-1 2.C.3
US ITAR Part 120 120.15 120.16 120.39 120.40 120.41
US NERC CIP 2024 (source) CIP-003-8 1.1.1 CIP-004-7 R3
US NISPOM 2020 8-307
US NNPI (unclass) 2.1 13.1
US - NY DFS 23 NYCRR500 2023 Amd 2 500.10(a)(1)
US - TX DIR Control Standards 2.0 PS-1
US - TX TX-RAMP Level 1 PS-1
US - TX TX-RAMP Level 2 PS-1
EMEA (17)
Framework Mapping Values
EMEA EU EBA GL/2019/04 3.3.2(15)
EMEA EU NIS2 21.2(i)
EMEA EU NIS2 Annex 10.1.1 10.1.3 10.2.3
EMEA Austria Sec 14 Sec 15
EMEA Belgium 16
EMEA Israel CDMO 1.0 19.1
EMEA Saudi Arabia CSCC-1 2019 1-5 2-5
EMEA Saudi Arabia IoT CGIoT-1 2024 1-3-2 1-8-1
EMEA Saudi Arabia ECC-1 2018 1-9-1 1-9-6 2-6-4
EMEA Saudi Arabia OTCC-1 2022 1-7 1-7-2 1-8
EMEA Saudi Arabia SACS-002 TPC-6 TPC-71
EMEA Saudi Arabia SAMA CSF 1.0 3.3.1
EMEA South Africa 19 20
EMEA Spain BOE-A-2022-7191 15.1
EMEA Spain 311/2022 15.1
EMEA UAE NIAF 3.2.3
EMEA UK DEFSTAN 05-138 1300 2702
APAC (9)
Framework Mapping Values
APAC China Cybersecurity Law 34(1)
APAC India DPDPA 2023 21(1)(a) 21(1)(b) 21(1)(c) 21(1)(d) 21(1)(e) 21(2) 22(1) 22(2) 22(3)
APAC India SEBI CSCRF GV.RR.S6 RS.CO.S1
APAC Japan APPI 21
APAC Japan ISMAP 4.5.2 4.5.2.1 4.5.2.2 4.5.2.3 4.5.2.4 4.5.2.5 4.5.2.6 4.5.2.7 4.5.2.8
APAC New Zealand HISF 2022 HML02 HSUP02
APAC New Zealand HISF Suppliers 2023 HSUP02
APAC New Zealand NZISM 3.6 9.2.10.C.01 9.2.11.C.01 9.2.11.C.02 14.3.5.C.01 15.1.7.C.01
APAC Singapore MAS TRM 2021 3.5.1 3.5.2
Americas (3)
Framework Mapping Values
Americas Bermuda BMACCC 5.13
Americas Canada CSAG 1.5
Americas Canada ITSP-10-171 03.01.01.G.02 03.15.03.A 03.15.03.D

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to facilitate the implementation of personnel security controls.

Level 1 — Performed Informally

Human Resources Security (HRS) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Personnel management is decentralized, with the responsibility for training users and enforcing policies being assigned to the user’s immediate supervisor(s)/manager(s), including the definition and enforcement of the user’s specific role(s) and responsibilities.
  • The Human Resources (HR) department provides guidance on HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.
  • Terms of employment, including acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior are at the discretion of users’ management.
  • Administrative processes require all employees and contractors to apply cybersecurity and data privacy principles in their daily work.
  • HR, in conjunction with IT personnel establishes redundancy for vital cybersecurity and data privacy staff.
Level 2 — Planned & Tracked

Human Resources Security (HRS) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Ensures industry-recognized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization. o Defines terms of employment, including acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior.

  • Personnel management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for personnel management.
  • The Human Resources (HR) department:
  • The responsibility for training users and enforcing policies being assigned to user’s immediate supervisor(s)/manager(s), including the definition and enforcement of the user’s specific role(s) and responsibilities.
  • Personnel managers ensure personnel are routinely made aware of the organization's cybersecurity / data privacy policies and provide acknowledgement.
  • Administrative processes require all employees and contractors to apply cybersecurity and data privacy principles in their daily work.
Level 3 — Well Defined

Human Resources Security (HRS) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Ensures industry-recognized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization. o Ensures that every user accessing a system that processes, stores, or transmits sensitive/regulated data is cleared and regularly trained in proper data handling practices. o Identifies and implements industry-recognized HR practices related to cybersecurity and data privacy training and awareness to help ensure secure practices are implemented in personnel operations to help manage risk to both technology assets and data. o Manages personnel security risk by assigning a risk designation to all positions and establishing screening criteria for individuals filling those positions.

  • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for Human Resources (HR) practices.
  • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise for personnel management.
  • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to personnel management.
  • A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program, including HR practices.
  • The Human Resources (HR) department:
  • Administrative processes require Non-Disclosure Agreements (NDAs) or similar confidentiality agreements that reflect the needs to protect data and operational details, for both employees and third-parties.
Level 4 — Quantitatively Controlled

Human Resources Security (HRS) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to facilitate the implementation of personnel security controls.

Assessment Objectives

  1. HRS-01_A01 personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented.
  2. HRS-01_A02 an official to manage the personnel security policy and procedures is defined.
  3. HRS-01_A03 a personnel security policy is developed and documented.
  4. HRS-01_A04 the personnel security policy is disseminated to organization-defined personnel or roles.
  5. HRS-01_A05 personnel or roles to whom the personnel security policy is to be disseminated is/are defined.
  6. HRS-01_A06 personnel or roles to whom the personnel security procedures are to be disseminated is/are defined.
  7. HRS-01_A07 the frequency at which the current personnel security policy is reviewed / updated is defined.
  8. HRS-01_A08 events that would require the current personnel security policy to be reviewed / updated are defined.
  9. HRS-01_A09 the frequency at which the current personnel security procedures are reviewed / updated is defined.
  10. HRS-01_A10 events that would require the personnel security procedures to be reviewed / updated are defined.
  11. HRS-01_A11 the personnel security procedures are disseminated to organization-defined personnel or roles.
  12. HRS-01_A12 the organization's personnel security policy addresses purpose.
  13. HRS-01_A13 the organization's personnel security policy addresses scope.
  14. HRS-01_A14 the organization's personnel security policy addresses roles.
  15. HRS-01_A15 the organization's personnel security policy addresses responsibilities.
  16. HRS-01_A16 the organization's personnel security policy addresses management commitment.
  17. HRS-01_A17 the organization's personnel security policy addresses coordination among organizational entities.
  18. HRS-01_A18 the organization's personnel security policy addresses compliance.
  19. HRS-01_A19 the organization's personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.
  20. HRS-01_A20 an organization-defined official is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures.
  21. HRS-01_A21 the current personnel security policy is reviewed / updated organization-defined frequency.
  22. HRS-01_A22 the current personnel security policy is reviewed / updated following organization-defined events.
  23. HRS-01_A23 the current personnel security procedures are reviewed / updated organization-defined frequency.
  24. HRS-01_A24 the current personnel security procedures are reviewed / updated following organization-defined events.
  25. HRS-01_A25 information security-related duties, roles, and responsibilities are defined.
  26. HRS-01_A26 information security-related duties, roles, and responsibilities are assigned to designated personnel.
  27. HRS-01_A27 personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities.
  28. HRS-01_A28 criteria and/or process for terminating system access authorization and any credentials coincident with personnel actions is established.
  29. HRS-01_A29 the time period for account inactivity before disabling is defined.
  30. HRS-01_A30 the time period within which to notify account managers and designated personnel or roles when accounts are no longer required is defined.
  31. HRS-01_A31 the time period within which to notify account managers and designated personnel or roles when users are terminated or transferred is defined.
  32. HRS-01_A32 the time period within which to notify account managers and designated personnel or roles when system usage or the need-to-know changes for an individual is defined.
  33. HRS-01_A33 personnel management operations are conducted according to documented policies, standards, procedures and/or other organizational directives.
  34. HRS-01_A34 adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support personnel management operations.
  35. HRS-01_A35 responsibility and authority for the performance of personnel management-related activities are assigned to designated personnel.
  36. HRS-01_A36 personnel performing personnel management-related activities have the skills and knowledge needed to perform their assigned duties.

Evidence Requirements

E-HRS-01 Position Categorization

Documented evidence of a discrete roles for cybersecurity & data privacy functions (e.g., position categorization).

Human Resources
E-HRS-15 Organization Chart

Current and accurate organization chart that depicts logical staff hierarchies.

Human Resources
E-HRS-27 Personnel Sanctions

Documented evidence of personnel management practices to formally sanction unacceptable behavior(s).

Human Resources

Technology Recommendations

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free