Skip to main content
The Human Resource Security Policy covers screening, onboarding, security awareness, discipline, and offboarding of personnel. It ensures that everyone who works at botBrains is suitable for their role, understands their security responsibilities, and loses access cleanly when they leave.
botBrains is not yet ISO 27001 certified. We are preparing our ISMS and writing these policies as part of pursuing certification, and we fully intend to get our controls attested.

Scope

This policy applies to both botBrains team members and to any future employee, contractor, or third party with access to botBrains systems or customer data. botBrains is currently a two-person company, fully remote, so the rules below describe the lightweight reality today and the process we follow as the team grows.

Before engagement

StageRequirement
Screening.Background verification proportional to the role and the sensitivity of the data accessed, carried out in line with German and EU law. Identity and reference checks apply to every hire; deeper checks apply to roles with privileged access to production or customer data.
Terms of engagement.Before botBrains grants access, personnel agree to this policy, the Acceptable Use Policy, and the Code of Conduct, and sign a confidentiality or non-disclosure agreement covering company and customer information.
Roles.botBrains writes security responsibilities into the role and assigns them according to the Roles and Responsibilities policy, with the CISO accountable for information security.

During engagement

Personnel complete security onboarding that covers our systems, the policies in this ISMS, and how to report incidents, following the Employees Only: Joiner playbook and recorded in the Employees Only: People register. All engineers additionally read the Employees Only: Secure Coding Standards as part of the joiner and mover process. Security awareness continues at least annually and whenever a material change to systems or threats warrants it, so that everyone stays current on phishing, credential hygiene, data handling, and incident reporting. Personnel who take on an incident-response role complete the incident-response training within 90 days and repeat it annually, as set out in the Incident Management Policy. Confidentiality obligations remain in force throughout engagement and after it ends.

Offboarding

When someone leaves or changes role, a co-founder revokes access promptly across all systems following the joiner, mover, and leaver process in the Access Control Policy. They recover or rotate all company assets, accounts, and credentials, remind the departing person of continuing confidentiality obligations, and review and rotate shared password manager entries the person could access as needed.

Discipline

Personnel who violate this ISMS are subject to a fair, proportionate disciplinary process that considers the nature and severity of the violation, up to and including termination of employment or contract. Serious misconduct may result in immediate withdrawal of access. The CISO receives reports of violations and decides on the response.

ISO 27001 mapping

This policy supports Annex A 6.1 (screening), 6.2 (terms and conditions of employment), 6.3 (information security awareness, education, and training), 6.4 (disciplinary process), 6.5 (responsibilities after termination or change), 6.6 (confidentiality or non-disclosure agreements), and 6.8 (information security event reporting), together with Clause 7.2 (competence) and Clause 7.3 (awareness).

Review

The CISO owns this policy and reviews it at least annually and after any material change.