ISO 27001 Annex A 6.6 Confidentiality Or Non-Disclosure Agreements

ISO 27001 Annex A 6.6 is about a Confidentiality Agreement or Non-Disclosure Agreement (NDA). This is a legal document that stops you or your company from sharing secret information with other people. You often use this kind of agreement in business, during hiring, and in other times when you need to give someone sensitive information.

What is ISO 27001 Annex A 6.6?

The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).

In the ISO/IEC 27001:2022 Standard the control is titled “Confidentiality Or Non-Disclosure Agreements”.

What is the ISO 27001 Annex A 6.6 control objective?

The formal definition and control objective in the standard is: “Confidentiality or non-disclosure agreements reflecting the organisation’s needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.“

What is the purpose of ISO 27001 Annex A 6.6?

The purpose of ISO 27001 Annex A 6.6 is “to ensure that you have non disclosure agreements or confidentiality in contracts.“

Is ISO 27001 Annex A 6.6Mandatory?

ISO 27001 Annex A control 6.6 (Confidentiality Or Non-Disclosure Agreements in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.

The mandatory part of the standard requires you to consider ISO 27001 Annex A 6.6 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.

Key Parts of the Rule

To follow this rule, you should have clear plans and policies. Here are some important steps:

To follow this rule, you will need to make sure you do the following:

• You have hired a legal expert.
• Your contracts include terms for information confidentiality that the law can uphold.
• You have figured out which information needs protection.
• You have assigned a classification level to that information.
• You have contracts or Non-Disclosure Agreements (NDAs) signed when they are necessary.

Deciding What Terms to Include

First, the best advice is always to talk to a legal professional. For general ideas when deciding on what terms to use, you should think about:

• What information people will see.
• How secret the information is (its classification).
• What the information will be used for.

Identifying Required Terms

When you decide what rules to put into a confidentiality clause or NDA, you need to include:

• A clear explanation of what counts as confidential information.
• How long the agreement will last.
• What happens once the agreement ends.
• What everyone who signs the agreement is responsible for.
• Who owns the information, trade secrets, and ideas (intellectual property).
• How the confidential information is allowed to be used.
• A right to check (audit) to make sure rules are being followed.
• How you will tell each other if there is a breach.
• What you will do if people break the agreement.
• Which country’s or region’s laws apply.

Steps for Writing an Agreement

The steps for writing an NDA or confidentiality agreement include:

1. Figuring out the information you need to protect.
2. Deciding on the range of things the agreement covers (the scope).
3. Writing down the specific rules of the agreement.
4. Checking and discussing the agreement with the other party.
5. Getting everyone to sign the final document.

Key Parts of an Agreement

The most important things that should be in an NDA or confidentiality agreement include:

• The definition of confidential information.
• The range of the agreement (the scope).
• The duties of the people signing the agreement.
• How long the agreement lasts (the duration).
• What happens if someone breaks the agreement (the remedies for breach).

Challenges and Legal Issues

Some difficulties you might face with these agreements are:

• Making sure the agreements are written and used correctly.
• Getting people to sign the agreements.
• Making people follow the agreements (enforcement).

Confidentiality agreements are legal papers. They must be created and used according to the laws where you are. It is best to work with a legal expert. In some places, these agreements may not be valid if they do not include certain rules or are not written in a specific way.

What an Auditor Will Check

An auditor will want to see proof that you are following these rules. They will look for:

Your Legal Agreements

The auditor will check your confidentiality and non-disclosure agreements. It is easy to use standard forms or old documents, but the auditor will look for proof that your legal paperwork is based on current legal advice. This may include showing that you have met with or hired legal professionals.

Legally Binding Documents

The documents you have must be enforceable by law. The auditor will check that your legal documents are signed, dated, current, and are correct for the specific arrangement you have with the other party.

People Know Their Duties

The audit will make sure that people understand what they need to do. They will look for your written procedures and confirm that you have shared them. They will also check that your staff has been trained on their security responsibilities.