If you have been managing information security for any length of time, you know that the “human element” is often the most complex part of the puzzle. When ISO 27001 updated from the 2013 version to the 2022 release, several controls related to people were reshuffled and refined. One of the most essential transitions is found in Annex A 6.2: Terms and Conditions of Employment. While the core spirit of the control remains familiar, its new home and refined wording tell a story of modern accountability.
Table of contents
The Structural Shift: From 7.1.2 to 6.2
In the ISO 27001:2013 framework, the requirement for security-related employment terms lived under Control 7.1.2, within the “Human Resources Security” domain. It was grouped with other HR-centric tasks like screening and disciplinary processes.
With the arrival of ISO 27001:2022, this control has been rebranded as Annex A 6.2 and moved into the People Controls theme. This isn’t just a simple numbering change. According to experts at Hightable.io, the 2022 update aims to make the standard more accessible to management rather than just IT professionals. By categorising it as a “People Control,” the standard emphasizes that security is a shared responsibility that begins the moment a contract is signed.
What Exactly Does Annex A 6.2 Cover?
The primary goal of Annex A 6.2 is to ensure that employees and contractors understand their information security responsibilities before they even touch a company asset. It mandates that contractual agreements, whether they are full-time employment contracts or third-party service agreements, clearly state what is expected of the individual regarding data protection.
The 2022 version continues to require that these agreements cover:
- Confidentiality and non-disclosure obligations.
- Legal and regulatory responsibilities (such as GDPR or intellectual property laws).
- Responsibilities for handling information and assets.
- Post-employment obligations (what happens after they leave the company).
Key Differences and Refinements
If you were to place the 2013 and 2022 versions of this control side-by-side, you might notice that the actual requirements haven’t undergone a radical overhaul. Instead, the focus has shifted toward clarity and intent.
As Hightable.io points out, the 2022 version introduces “Attributes” to every control. For Annex A 6.2, these attributes help organizations classify the control more effectively. For example, it is now clearly tagged as a Preventive control. This helps security teams explain to auditors that by putting these terms in the contract, they are actively preventing security breaches caused by ignorance or lack of defined responsibility.
Additionally, the 2022 version is more explicit about the “Terms and Conditions” applying to all relevant parties. While the 2013 version sometimes left room for ambiguity regarding short-term contractors or interns, the 2022 update leaves no doubt: if they have access to your information, their contract must reflect their security duties.
Practical Implementation: What Auditors Look For
Transitioning to the 2022 standard means your evidence trail needs to be sharp. An auditor won’t just want to see a generic HR template; they will want to see how those security clauses link back to your actual policies. They will typically check for:
- Signed Agreements: Proof that contracts were signed before access to sensitive systems was granted.
- Specific Clauses: Ensuring that the “fine print” actually mentions things like data classification, acceptable use, and the consequences of a security violation.
- Consistency: Evidence that contractors and third-party personnel are held to the same high standards as permanent staff.
Why This Change Matters for Your Business
The move to Annex A 6.2 reflects a shift in the global business culture. In 2013, a “Confidentiality” clause was often seen as a legal formality. In 2026, with the rise of remote work and complex supply chains, these terms are a critical line of defence. By clearly defining roles and responsibilities in the employment contract, you create a foundation of accountability.
As suggested by Hightable.io, the best way to handle this transition is to collaborate closely with your HR and Legal teams. You don’t necessarily need to rewrite every contract, but you should ensure that your newest templates and any contract renewals fully align with the refined language of the 2022 standard. This simple step not only satisfies your ISO auditor but also significantly strengthens your internal security culture.