Do you require new employees to fill out agreements and review policies?
Explanation
Onboarding controls are what's being checked here: the concern is whether new hires must review your policies and sign the relevant agreements before they start. These typically include confidentiality agreements, acceptable use policies, security policies, code of conduct, and other employment-related documents.
Why this is asked in security assessments:
- Accountability: Signed agreements create a record that employees were informed of their responsibilities.
- Legal protection: These agreements establish the employer-employee relationship regarding handling of sensitive data and systems.
- Security awareness: The process ensures employees are aware of security expectations from day one.
- Compliance requirements: Many regulations (like HIPAA, SOC2, ISO 27001) require documented evidence that employees understand their security obligations.
The question helps assessors understand if your organization has baseline security awareness measures in place and if you're creating accountability for security practices at the employee level. Without such agreements, it's difficult to enforce security policies or take action if violations occur.
When answering this question, you should:
- Be specific about which agreements and policies are required
- Mention when in the onboarding process these are reviewed (ideally before system access is granted)
- Note if you track completion and maintain records of these signed documents
- Mention if there are consequences for non-completion
Example Responses
Example Response 1
Yes, our organization requires all new employees to review and acknowledge key policies and sign agreements as part of our formal onboarding process Before receiving system access credentials, new hires must complete the following: (1) Sign a confidentiality and non-disclosure agreement, (2) Review and acknowledge our information security policy, acceptable use policy, and code of conduct, (3) Complete basic security awareness training, and (4) Sign an acknowledgment of employment handbook receipt HR maintains digital records of all signed documents in our secure document management system Employees cannot receive system access until these requirements are completed, and compliance is tracked through our onboarding checklist.
Example Response 2
Yes, we implement a comprehensive policy acknowledgment process for all new hires During their first week, employees must review and electronically sign our security policies, acceptable use policy, code of conduct, and confidentiality agreement through our HR management platform The system automatically tracks completion status and sends reminders for any outstanding items Our IT department is automatically notified when these requirements are completed, which triggers the provisioning of appropriate system access We maintain these records for the duration of employment plus three years Additionally, employees must re-acknowledge these policies annually as part of our security refresher training.
Example Response 3
No, we currently don't have a formal process requiring new employees to sign agreements or review policies during onboarding While we do verbally communicate our expectations regarding confidentiality and system usage during orientation, we haven't implemented a documented process with signed acknowledgments Our small team size (under 10 employees) has allowed us to operate with more informal processes until now However, we recognize this is a gap in our security practices, and we're developing a formal onboarding checklist that will include policy reviews and signed agreements We plan to implement this within the next quarter and retroactively have existing employees complete these requirements.
Context
- Tab
- Organization
- Category
- Policies, Processes, and Procedures
Related questions
- Do you have a documented patch management process?
- Can your organization comply with institutional policies on privacy and data protection with regard to users of institutional systems, if required?
- Is your company subject to the institution's geographic region's laws and regulations?
- Can you accommodate encryption requirements using open standards?
- Do you have a documented systems development life cycle (SDLC)?
- Do you perform background screenings or multi-state background checks on all employees prior to their first day of work?

