What is an acceptable level of staff and contractor vetting?
CREST looks for the minimum vetting level requirement as outlined in BS7858 but companies should consider the type of work they undertake and the importance of client confidentiality. Companies should be aware that additional vetting may be required for certain clients such as Governments.
However, for added confidence for your clients, all of your staff including any contractors that you use should receive basic information security training including use of passwords, protection of data at rest (unattended computers) etc. on an on-going basis. Staff with specific responsibilities should receive specialist training and a record kept of all training received.
Companies should nominate an individual or individuals to take responsibility for personnel security. There should also be demonstrable management commitment to this process.
Further background information on recognised security standards and on the various security clearance levels and their application is contained within these FAQs under Personnel Security.