1. Document Control

• Document Title: Employee Onboarding Procedure

• Document Identifier: PRC-HR-001

• Version Number: v1.0

• Approval Date: <24 June 2025>

• Effective Date: <24 June 2025>

• Review Date: <24 June 2026>

• Document Owner: <Human Resources Director>

• Approved By: <Chief Operating Officer>

2. Purpose

The purpose of this procedure is to define a consistent, secure, and compliant framework for onboarding new employees at . A structured onboarding process is essential to ensure that new hires are properly integrated into the organization, understand their roles and responsibilities, and gain the necessary access to systems and data based on least privilege principles. This procedure also ensures alignment with SOC 2 controls CC5.1 (Control Environment) and CC5.2 (Communication and Information), which emphasize employee integrity, security awareness, and the implementation of responsibilities for safeguarding systems and data.

Effective onboarding is not only a human resources function but a cornerstone of organizational risk management and information security. By ensuring every employee receives proper orientation, role-based training, and technology provisioning, fosters a culture of accountability, compliance, and operational continuity.

3. Scope

This procedure applies to all new hires, including full-time, part-time, temporary, and contract personnel, across all departments within . It encompasses all functions involved in onboarding, including Human Resources, Information Technology, Facilities, and departmental managers.

The procedure covers the onboarding of personnel for all organizational units, whether operating from corporate offices, satellite locations, or remotely. It includes activities such as offer acceptance, pre-employment verification, systems access provisioning, orientation, initial training, policy acknowledgment, and probationary period reviews. Exceptions to this procedure must be approved by the Human Resources Director and documented accordingly.

4. Policy Statement

shall ensure that all newly hired personnel are onboarded through a formal and structured process that includes identity verification, role-based access provisioning, policy acknowledgments, and mandatory training. This onboarding process shall be documented, tracked, and reviewed for each employee to ensure consistency, compliance, and alignment with internal controls and external requirements.

Key requirements include:

• Pre-employment background checks and verification

• Role-specific system and application access provisioned only after approvals

• Security awareness and data protection training completed within the first 5 business days

• Formal acknowledgment of key policies (e.g., Acceptable Use, Code of Conduct, Information Security)

• Initial performance check-ins by managers within the probationary period

The onboarding process must be completed within the first 30 days of employment, with clear documentation stored in the employee’s HR file.

5. Safeguards

To enforce and support this procedure, the following safeguards shall be implemented:

These controls ensure consistency, support auditing efforts, and mitigate risks related to unauthorized access and untrained employees.

6. Roles and Responsibilities

• Human Resources (HR): Oversees the end-to-end onboarding process, ensures documentation is complete, conducts orientation, and facilitates policy acknowledgments and training schedules.

• Hiring Manager: Defines job-specific access needs, initiates equipment and software requests, and performs 30/90-day performance reviews.

• IT Department: Provisions system access, ensures secure configuration of devices, and implements endpoint protections before distribution.

• Information Security Team: Reviews access levels, monitors for compliance, and ensures completion of security training.

• New Employee: Completes all onboarding tasks as scheduled, acknowledges required policies, and reports any access issues or training gaps.

7. Compliance and Exceptions

Compliance with this procedure is mandatory. Regular audits of onboarding documentation, access reviews, and training completion rates will be conducted quarterly by the HR Compliance team in coordination with Internal Audit.

Any exceptions must be submitted in writing to the HR Director, along with justification and risk acceptance approval from the CISO or delegate. Exceptions shall be reviewed annually for continued validity.

8. Enforcement

Failure to comply with the onboarding procedure may result in serious consequences, including:

• Employees: Disciplinary action as outlined in the Employee Handbook, including warnings, access restrictions, and possible termination.

• Managers: Escalation to department leadership and potential impact on performance evaluations.

• Vendors/Contractors: Termination of contract or reassessment of engagement terms.

• Legal Implications: Violations involving negligent access provisioning or missed training deadlines may expose the company to regulatory risk and legal liability.

All enforcement actions shall be documented and maintained as part of HR records.

9. Related Policies/Documents

• POL-HR-001: Employee Onboarding and Offboarding Policy (CC5.1, CC5.2)

• POL-HR-002: Security Awareness and Training Policy (CC2.1, CC2.2)

• PRC-IT-001: User Access Provisioning and Deprovisioning Procedure (CC6.1, CC6.2)

• POL-ALL-002: Acceptable Use Policy

• PRC-ALL-003: Information Asset Inventory Procedure

• ISO 27001:2022 A.6.1 – A.6.3, A.7.2

• SOC 2 TSC CC5.1 & CC5.2

10. Review and Maintenance

This procedure shall be reviewed annually or upon significant change in HR systems, legal requirements, or IT provisioning processes. The Human Resources Director is responsible for this review and for coordinating updates with Legal, IT, and Information Security teams.

Version control will be managed through the Document Control section, and changes will be communicated via the company’s compliance portal.