Control 1-2-2 of the Compliance Framework ECC – 2 : 2024 requires organizations to verify both the claimed professional experience and, where mandated, Saudi nationality of staff who hold sensitive roles; this post provides a practical, step-by-step checklist and implementation advice so small businesses can meet the control with minimal friction while preserving security, privacy and auditability.
\n\nAt a high level, the control aims to ensure that people assigned to critical or regulated duties actually have the required experience and legal eligibility (in some cases Saudi nationality) before they are granted access to systems, data, or government contracts. Key objectives include preventing insider risk, ensuring contractual and legal compliance, and creating an auditable trail of identity and experience verification tied to each hire, contractor, or privileged user.
\n\nBefore you collect documents, obtain written candidate consent (signed e-form or PDF) that permits verification and storage of identity and employment records. Define your verification acceptance criteria (e.g., minimum years of experience, acceptable documents, how nationality will be proven). Prepare an evidence checklist: national ID (or passport), signed employment letters, contracts with dates, pay stubs or GOSI contribution statements, diplomas/certificates, and reference contact details.
\n\nFor Saudi nationality, use government e-services where available (Absher for identity confirmation or other authorized MHRSD/Qiwa endpoints if your organization has access), or ask for a certified copy of the National ID card. For foreign residents, validate iqama status against the Ministry of Interior systems. If you lack API access, require a notarized copy of the national ID or a document stamped by an authorized government office. Record the verification method (API call, notarized copy, visual inspection) and timestamp and store metadata (verifier, method, result).
\n\nValidate claimed experience by combining at least two independent sources: employer reference letters or contracts, GOSI contribution history (which shows social insurance contributions and employment periods), and corroborating digital footprints (LinkedIn employment dates, previous payroll/offer letters). For technical roles, include a focused skills assessment or lab test to validate capabilities. When dates are crucial, cross-check start/end dates against official payslips or GOSI records to avoid gaps or overlaps being misrepresented.
\n\nVerify professional certificates against issuer registries (e.g., vendor certificate validation pages for Cisco, Microsoft, ISC2). For attestable academic degrees, use the issuing institution’s verification service or a notarized transcript. Save a checksum (SHA-256) of the certificate PDF and record the verification URL or reference ID in the verification log to guard against tampering.
\n\nKeep an auditable verification record for each individual with fields: candidate ID, document type, source, verification date/time, verifier name, method (API/manual/notarized), result (pass/fail), and retention expiry. Store documents encrypted at rest (AES-256) with access controlled by RBAC, keep logs of who accessed records (write to SIEM) and use KMS for key management. Small businesses can use cloud storage with server-side encryption (S3 with SSE-KMS) and strict IAM policies, or a local encrypted database if required.
\n\nMap each verification step to evidence artifacts in your Compliance Framework tool: link the nationality proof artifact to Control 1-2-2; include the verification action (e.g., API response or notarized copy) as the control evidence. Use immutable logs (append-only) for verification events—store event hashes and timestamps so auditors can validate chain-of-custody. When integrating third-party ID services (Onfido, Jumio, or regionally-authorized vendors), ensure the vendor supports Saudi ID formats and stores data according to PDPL or your local data protection law; capture API response codes and store them as part of evidence.
\n\nExample: A 12-person IT consultancy winning a government subcontract that requires Saudi nationals for on-site support. Process: (1) recruit candidate, (2) request National ID copy plus signed consent, (3) request 3 years’ employment proofs—past employer letters and GOSI statements, (4) run a one-hour technical lab focusing on required competencies, (5) verify Saudi nationality via Absher screenshot or a certified ID copy, (6) record all artefacts in the HRIS and set a 5-year retention. Cost-saving tips: batch verifications for multiple hires, use pay-per-check e-verification providers instead of expensive annual SaaS, and use standard templates for consent and reference questions to reduce admin time.
\n\nBest practices: maintain a written SOP for 1-2-2 verifications, train HR and hiring managers on red flags (inconsistent dates, unverifiable employers), enforce a minimum evidence standard (e.g., at least two corroborating items), and schedule periodic re-verification for long-term contractors. Apply least privilege while background checks are pending (temporary restricted access). Risks for not implementing this control include regulatory fines, disqualification from government programs, insider threats from unverified staff, reputational damage, and increased probability of security incidents due to unqualified personnel operating critical systems.
\n\nSummary: Implementing Control 1-2-2 need not be resource-intensive—define acceptance criteria, obtain candidate consent, collect and corroborate identity and employment evidence (using government services like Absher or GOSI where possible), store validated artifacts securely with strong encryption and audit logging, and codify the process into your Compliance Framework evidence repository. These steps create an auditable trail and materially reduce legal, operational and security risks associated with hiring or assigning sensitive roles.
", "plain_text": "Control 1-2-2 of the Compliance Framework ECC – 2 : 2024 requires organizations to verify both the claimed professional experience and, where mandated, Saudi nationality of staff who hold sensitive roles; this post provides a practical, step-by-step checklist and implementation advice so small businesses can meet the control with minimal friction while preserving security, privacy and auditability.\n\nWhat Control 1-2-2 expects (summary)\nAt a high level, the control aims to ensure that people assigned to critical or regulated duties actually have the required experience and legal eligibility (in some cases Saudi nationality) before they are granted access to systems, data, or government contracts. Key objectives include preventing insider risk, ensuring contractual and legal compliance, and creating an auditable trail of identity and experience verification tied to each hire, contractor, or privileged user.\n\nStep-by-step checklist (practical)\n1) Prepare and obtain consent\nBefore you collect documents, obtain written candidate consent (signed e-form or PDF) that permits verification and storage of identity and employment records. Define your verification acceptance criteria (e.g., minimum years of experience, acceptable documents, how nationality will be proven). Prepare an evidence checklist: national ID (or passport), signed employment letters, contracts with dates, pay stubs or GOSI contribution statements, diplomas/certificates, and reference contact details.\n\n2) Perform identity and nationality verification\nFor Saudi nationality, use government e-services where available (Absher for identity confirmation or other authorized MHRSD/Qiwa endpoints if your organization has access), or ask for a certified copy of the National ID card. For foreign residents, validate iqama status against the Ministry of Interior systems. If you lack API access, require a notarized copy of the national ID or a document stamped by an authorized government office. Record the verification method (API call, notarized copy, visual inspection) and timestamp and store metadata (verifier, method, result).\n\n3) Verify employment history and experience\nValidate claimed experience by combining at least two independent sources: employer reference letters or contracts, GOSI contribution history (which shows social insurance contributions and employment periods), and corroborating digital footprints (LinkedIn employment dates, previous payroll/offer letters). For technical roles, include a focused skills assessment or lab test to validate capabilities. When dates are crucial, cross-check start/end dates against official payslips or GOSI records to avoid gaps or overlaps being misrepresented.\n\n4) Validate credentials and certifications\nVerify professional certificates against issuer registries (e.g., vendor certificate validation pages for Cisco, Microsoft, ISC2). For attestable academic degrees, use the issuing institution’s verification service or a notarized transcript. Save a checksum (SHA-256) of the certificate PDF and record the verification URL or reference ID in the verification log to guard against tampering.\n\n5) Document and store verification evidence securely\nKeep an auditable verification record for each individual with fields: candidate ID, document type, source, verification date/time, verifier name, method (API/manual/notarized), result (pass/fail), and retention expiry. Store documents encrypted at rest (AES-256) with access controlled by RBAC, keep logs of who accessed records (write to SIEM) and use KMS for key management. Small businesses can use cloud storage with server-side encryption (S3 with SSE-KMS) and strict IAM policies, or a local encrypted database if required.\n\nTechnical implementation notes specific to Compliance Framework\nMap each verification step to evidence artifacts in your Compliance Framework tool: link the nationality proof artifact to Control 1-2-2; include the verification action (e.g., API response or notarized copy) as the control evidence. Use immutable logs (append-only) for verification events—store event hashes and timestamps so auditors can validate chain-of-custody. When integrating third-party ID services (Onfido, Jumio, or regionally-authorized vendors), ensure the vendor supports Saudi ID formats and stores data according to PDPL or your local data protection law; capture API response codes and store them as part of evidence.\n\nReal-world small business scenario\nExample: A 12-person IT consultancy winning a government subcontract that requires Saudi nationals for on-site support. Process: (1) recruit candidate, (2) request National ID copy plus signed consent, (3) request 3 years’ employment proofs—past employer letters and GOSI statements, (4) run a one-hour technical lab focusing on required competencies, (5) verify Saudi nationality via Absher screenshot or a certified ID copy, (6) record all artefacts in the HRIS and set a 5-year retention. Cost-saving tips: batch verifications for multiple hires, use pay-per-check e-verification providers instead of expensive annual SaaS, and use standard templates for consent and reference questions to reduce admin time.\n\nCompliance tips, best practices and risk if not implemented\nBest practices: maintain a written SOP for 1-2-2 verifications, train HR and hiring managers on red flags (inconsistent dates, unverifiable employers), enforce a minimum evidence standard (e.g., at least two corroborating items), and schedule periodic re-verification for long-term contractors. Apply least privilege while background checks are pending (temporary restricted access). Risks for not implementing this control include regulatory fines, disqualification from government programs, insider threats from unverified staff, reputational damage, and increased probability of security incidents due to unqualified personnel operating critical systems.\n\nSummary: Implementing Control 1-2-2 need not be resource-intensive—define acceptance criteria, obtain candidate consent, collect and corroborate identity and employment evidence (using government services like Absher or GOSI where possible), store validated artifacts securely with strong encryption and audit logging, and codify the process into your Compliance Framework evidence repository. These steps create an auditable trail and materially reduce legal, operational and security risks associated with hiring or assigning sensitive roles." }, "metadata": { "description": "A practical, step-by-step checklist to verify candidate experience and Saudi nationality for Compliance Framework Control 1-2-2, with implementation tips for small businesses.", "permalink": "/implementing-essential-cybersecurity-controls-ecc-2-2024-control-1-2-2-step-by-step-checklist-to-verify-experience-and-saudi-nationality-requirements.json", "categories": [], "tags": [] } }