How does an auditor verify NDA compliance?

Bottom Line Up Front: Auditors verify compliance by sampling signed agreements in SharePoint. They check version history on master templates. They also inspect Jira tickets to ensure signatures exist for all personnel. Evidence must show human review and approval.

When should confidentiality agreements be reviewed?

Bottom Line Up Front: Review confidentiality agreements annually or when legal requirements change. Significant organisational changes also trigger a review. Use a master register in Confluence to track these cycles. This proves continuous management oversight to auditors.

ISO 27001:2022 Annex A 6.6 Guide

Q: What is ISO 27001 Annex A 6.6?

Bottom Line Up Front: Annex A 6.6 requires organisations to define and review confidentiality agreements. These legal documents protect information from unauthorised disclosure. You must manage them within your internal document systems. This ensures accountability for staff and third parties.

What is Annex A 6.6 in ISO 27001?

Annex A 6.6 requires documented confidentiality agreements. These protect organisational information from unauthorised disclosure. You must integrate these agreements into standard business workflows. Use SharePoint for version control. Use Jira for tracking signatures. This ensures legal protection is part of daily operations and internal culture.

Auditor’s Eye: The Shortcut Trap

Many firms rely on automated SaaS portals to track NDAs. These platforms often decouple legal records from daily work. This leads to surface-level compliance. Auditors want to see agreements within your native repositories. SharePoint version history provides superior evidence of oversight. We prefer seeing the lawyer-approved template in your internal wiki. Avoid “Black Box” software that hides your procedural gaps. Direct document management proves you own the process.

2013 Control Reference	2022 Control Reference	Requirement Summary
A.13.2.4 Confidentiality or non-disclosure agreements	A.6.6 Confidentiality or non-disclosure agreements	Define, document, and review agreements protecting information assets.

How to Implement Annex A 6.6 (Step-by-Step)

To implement Annex A 6.6, define your legal requirements first. Document these in a master register. Store your NDA templates in SharePoint. Ensure every staff member and third party signs these before accessing data. Map these requirements to your internal tools. This creates a sustainable management system.

Identify Scope: List all personnel and partners needing confidentiality terms.
Draft Templates: Save lawyer-approved NDAs in a SharePoint document library.
Enforce Signing: Use Jira onboarding workflows to capture digital signatures.
Centralise Records: Archive signed documents in a secure, restricted folder.
Periodic Review: Audit your register annually to ensure all terms remain valid.

Annex A 6.6 Audit Evidence Checklist

Focus on manual records and internal document versions. These prove human oversight and intent. Use your existing organisational tools to maintain this evidence.

Approved NDA templates with version control history in SharePoint.
Signature logs within Jira onboarding or contractor tickets.
Signed agreements for every current employee and contractor.
Meeting minutes from legal reviews of confidentiality terms.
Access logs showing folders restricted to only those with NDAs.

Relational Mapping

ISO 27001 Clause 4.2: Understanding needs of interested parties.
Annex A 5.31: Legal and contractual requirements.
Annex A 6.2: Terms and conditions of employment.

Auditor Interview

Auditor: How do you ensure all third parties sign NDAs?

Manager: We use a mandatory Jira workflow for vendor onboarding. The ticket cannot close without an uploaded signature.

Auditor: Where do you track the version history of your NDA?

Manager: We manage all legal templates in our SharePoint Document Management System. It tracks every change automatically.

Common Non-Conformities

Failure Mode	Description	Remediation Action
Automated Complacency	Relying on a SaaS dashboard without internal procedural evidence.	Move templates to SharePoint. Record manual reviews in meeting minutes.
Missing Signatures	Long-term contractors lack signed agreements on file.	Conduct a retrospective audit of the contractor register.
Outdated Terms	NDAs do not reflect current data protection legislation.	Update SharePoint templates annually via the legal review process.

Frequently Asked Questions

What is ISO 27001 Annex A 6.6?

Bottom Line Up Front: It is the requirement for Confidentiality or Non-Disclosure Agreements. These documents legally protect your sensitive data. You must integrate them into your internal business processes. This ensures all parties understand their data handling duties. Use SharePoint to store your master records.

Does a standard contract cover Annex A 6.6?

Bottom Line Up Front: Yes, if the contract includes specific confidentiality clauses. You do not always need a separate NDA. However, you must document where these terms reside. Use your internal wiki to map contracts to Annex A 6.6. This provides clarity during audits.

How do auditors check for NDA compliance?

Bottom Line Up Front: Auditors sample signed agreements from your internal repositories. They look at your SharePoint folders and Jira logs. They check if the signature date precedes the system access date. Ensure all records are easily accessible within your organisational tools.

LA CASA DE CERTIFICACIÓN