Implementing ISO 27001 Annex A 6.6 Confidentiality or Non-disclosure Agreements
Protecting your information is the heart of information security. While firewalls and passwords keep digital intruders out, legal frameworks ensure that the people you trust with your data actually keep it safe. This is where ISO 27001 Annex A 6.6 comes into play. It deals with confidentiality or non-disclosure agreements, often called NDAs.
At ISO27001.com, we frequently see organisations struggle not with the concept of an NDA, but with the consistent application of it. This guide will walk you through how to implement this control effectively and explain exactly what we, as a certification body, look for when we audit your management system.
Table of contents
Understanding Annex A 6.6
Annex A 6.6 is a preventative control. Its purpose is straightforward. It ensures that employees, contractors, and third parties understand their legal obligation to keep your sensitive information secret. It is not just about having a piece of paper signed. It is about defining the rules of engagement regarding your data.
You might think this is purely a legal matter, but in the world of ISO 27001, it is a vital security control. If someone leaks your client database, it does not matter if they hacked it or simply emailed it to a competitor. The damage is the same. This control creates a legal deterrent and sets clear expectations for behaviour.
Identifying Your Requirements
Before you start drafting documents, you need to identify what needs protection. You cannot protect everything, so you must be specific. You should look at your asset register. Identify the information assets that are classified as confidential or restricted.
You also need to identify the interested parties. Who has access to this information? This usually falls into two categories.
- Internal Parties: These are your employees. Confidentiality clauses are often part of their employment contract, but you may need separate NDAs for highly sensitive projects.
- External Parties: This includes suppliers, contractors, consultants, and partners. They need a legally binding agreement before they access your systems or data.
Drafting the Agreement
We always recommend that you seek legal advice when drafting these contracts to ensure they are enforceable in your jurisdiction. However, from an ISO 27001 perspective, there are specific elements we expect to see included to satisfy the control.
The agreement should clearly define the information being protected. Vague terms like ‘all business data’ can be difficult to enforce. Be specific where possible. It must also state the duration of the agreement. Does the duty of confidentiality end when the contract ends, or does it continue indefinitely? For high-value data, indefinite protection is often the standard.
You must also outline the permitted use of the information. If a contractor is hired to process payroll, the agreement should state they can only use the data for that specific purpose. Finally, include the right to audit and the actions that will be taken if the agreement is breached.
Integrating into Business Processes
The most common failure we see at ISO27001.com is a disconnect between the process and the paperwork. You might have a perfect NDA template, but if nobody signs it, it is useless.
You need to embed this step into your onboarding process. For employees, human resources should ensure the confidentiality clause is signed before the first day of work. For suppliers, the procurement team must ensure the NDA is signed before any data is shared or access is granted.
You should also review these agreements regularly. If a supplier changes the nature of their service, the original NDA might no longer be sufficient. A regular review cycle, perhaps annually, ensures your legal protections remain aligned with your current risks.
What the Auditor Expects
When an auditor from a certification body visits you, they will look for evidence. We do not just take your word for it. We want to see the audit trail. Here is what you should prepare.
First, we will ask to see your policy on confidentiality. This documents your rules. Then, we will sample your personnel files and supplier contracts. We expect to see signed, valid, and up-to-date agreements for the people and companies we select.
We will also look for consistency. If you use different versions of an NDA, we will ask why. We check if the level of protection in the agreement matches the classification of the information being accessed. If you give a vendor access to ‘Top Secret’ data but only have them sign a standard, low-level confidentiality waiver, that will be raised as a non-conformity.
Common Pitfalls to Avoid
To help you pass your audit smoothly, watch out for these common mistakes we often encounter.
- Expired Agreements: Contracts that have lapsed while the vendor still has access to the network.
- Unsigned Documents: Finding an NDA in a file that was never actually signed by the other party.
- Missing Terms: Agreements that do not specify what happens to the data when the relationship ends.
Maintaining Compliance
Implementing Annex A 6.6 is not a one-time task. It requires ongoing maintenance. As your business grows and your relationships evolve, your agreements must adapt. Keep your templates updated and ensure your legal team and information security team communicate effectively.
By strictly implementing these confidentiality agreements, you build a layer of trust with your clients. They know their data is safe not just by technology, but by binding legal commitments. If you need more guidance on aligning your legal contracts with security controls, resources are available at ISO27001.com to assist you.