Most organisations use contractors. They typically have the same access to an organisation’s assets, including those deemed most sensitive, as directly-employed employees and yet on some occasions in some organisations, contractors are not always required to abide by the same personnel security requirements. While this may be a business-driven decision, potentially this could leave an organisation open to risk.
CPNI (Centre for the Protection of National Infrastructure) recommends that organisations use the same personnel security measures with contractors as they would with their directly employed staff. But, it is recognised that at certain times, business pressures may force organisations to use reduced or alternative measures. On these occasions, it is up to the organisation to make a risk assessment as to why they need to downgrade their personnel security standards and what alternative measures can be used instead.
Regardless of what decision is made, it is the employing organisation which owns and needs to manage effectively the risk of granting the contractor access to its sites and assets, not the contractor organisation or agency, CPNI point out.