For the ISO 27001 control Annex A 6.2, called Terms and Conditions Of Employment, you need to ensure your organization has agreements with employees. These agreements define your information security responsibilities.
Terms of Employment are the specific conditions and agreements that establish the relationship between you as the employee and the employer. Usually, these terms explain the rights and duties of both you and your employer.
Table of contents
What is ISO 27001 Annex A 6.2?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Terms and Conditions of Employment”.
What is the ISO 27001 Annex A 6.2 control objective?
The formal definition and control objective in the standard is: “The employment contractual agreements should state the personnel’s and the organisations responsibilities for information security. “
What is the purpose of ISO 27001 Annex A 6.2?
The purpose of ISO 27001 Annex A 6.2 is “to ensure that employees are fully aware of their information security responsibilities in relation to their role.“
Is ISO 27001 Annex A 6.2 Mandatory?
ISO 27001 Annex A control 6.2 (Terms and Conditions of Employment in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 6.2 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
You will need to consult with a legal professional for expert advice. You will also need to consult with an HR professional for expert advice.
You must create contracts that clearly state the information security responsibilities for both your staff and your organization. You should ensure all staff have legally binding contractual agreements. Always be sure to follow all laws and rules that apply to your situation.
Your ISO 27001 Policies
Your contract should take your ISO 27001 policies into account. This includes your main information security policy and any other ISO 27001 policies that cover specific topics. Policies are statements that explain what you do for information security and what your staff must do.
Items to Put in the Employment Contract
You may consider including the following in the employment contract:
- Non-disclosure agreements (NDAs)
- Confidentiality agreements
- Legal rights
The following points are suggestions from the standard. You should be aware of them, but you may want to check if they belong in a contract:
- How you categorize information
- How you manage information
- How you manage company assets
- Your facilities for processing information
- Your services for providing information
- How you handle information you receive from outside groups
- What actions will be taken if staff do not follow the information security rules
Communication and Agreement
You should let people know their information security roles and duties when you are hiring them, before they start work.
The staff must agree to the information security rules. This usually happens when the new staff member signs the contract, and you keep a copy of this signed contract on file.
Reviewing the Contract Terms
You want to make sure that the terms and rules you set are right for each person, their job, what they do, and what company information they can access.
As part of always making things better, you should check the terms you have in place. This is especially important if you change your policies or if laws or rules change.
Non-Disclosure After Employment
Some rules will still be in effect after a person leaves the company. This is usually for a specific time. You should think about keeping an ISO 27001 non-disclosure agreement and a confidentiality agreement in place for 12 months after the employment ends.
Using an Employee Handbook
A great way to share and explain information security duties and main ideas is to use an employee handbook or a code of conduct. You will find that this works well in many organizations.
Staff Hired Through Agencies
If you use staff who are not directly employed by you—for example, staff from an agency or another third party—that agency or third party should sign a contract for those people.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will look for:
1. Documented Contract of Employment
You must have a documented contract of employment. The auditor will meet with your human resources (HR) team to look at the standard template for the employment contract. They will then ask for proof that this contract is being used by reviewing a selection of employee files. The auditor will confirm that the terms listed in this clause have been satisfied.
2. Communication of Employment Terms
You need to share the terms of employment with all appropriate and interested individuals. The audit will examine your training and awareness plan and your communication plan. The auditor will look for evidence showing that you have completed this communication in the past.
3. Awareness of Responsibilities
You must ensure that people know what their responsibilities are. The auditor will check for documented processes and a documented topic-specific policy. They will also look for evidence that you have shared these documents and trained employees on what you expect them to do. The auditor will confirm that people have a contract outlining the terms and that they understand and agree to those terms.
