In the transition from ISO 27001:2013 to the 2022 update, the standard underwent a significant structural “clean up.” While many people focus on the brand-new technical controls, some of the most practical changes happened to the way we manage legal and people-centric risks. Annex A 6.6: Confidentiality or Non-Disclosure Agreements (NDAs) is a prime example. If you are moving your ISMS over to the new version, you will find that what was once a “communication” control is now a cornerstone of “people” security.
Table of contents
The Structural Shift: From 13.2.4 to 6.6
In the ISO 27001:2013 version, confidentiality agreements were covered under Control 13.2.4. This control sat within the “Communications Security” domain (Domain 13), largely because it was grouped with requirements for information transfer. The focus was often technical or procedural, ensuring that when data moved from point A to point B, an agreement was in place.
The 2022 update changes the perspective entirely. It rebrands the requirement as Annex A 6.6 and moves it into the People Controls theme. According to experts at Hightable.io, this shift acknowledges that an NDA isn’t just about a “transfer of information”; it is a fundamental control over the behaviour and accountability of the people, be they employees, contractors, or partners who have access to your sensitive assets.
What is New in Annex A 6.6?
While the core requirement, having signed NDAs, remains, the 2022 version is much more descriptive about how these agreements should be managed. The 2013 version (13.2.4) was relatively brief. The 2022 version (6.6) demands a more “living” approach to confidentiality. The new guidance suggests that your agreements should be:
- Risk-Based: The depth and complexity of the NDA should match the risk level of the information being accessed.
- Periodically Reviewed: You can no longer “set and forget” an NDA for ten years. You must review them to ensure they still comply with modern laws (like GDPR or evolving trade secret protections).
- Clearly Communicated: It isn’t enough to have a signed document in a drawer; the relevant parties must actually understand their ongoing obligations.
The Introduction of Attributes
One of the biggest changes in the 2022 standard is the introduction of “Attributes” for every control. For Annex A 6.6, these attributes help you categorize the control’s purpose in a way that was not possible in the 2013 version. It is now explicitly tagged as a Preventive control.
As noted by Hightable.io, these attributes allow you to map the control to specific cybersecurity concepts. For 6.6, the primary security property is Confidentiality, and the operational capability is Governance. This makes it significantly easier to explain the “why” behind the control to auditors and board members during a transition audit.
Modern Implementation Requirements
The 2022 version of the standard reflects a world where cloud services, remote work, and complex supply chains are the norm. In 2013, a standard employment contract clause was often enough. In 2026, Annex A 6.6 expects you to address:
- Third-Party Accountability: Ensuring that consultants and vendors are bound by the same (or stricter) confidentiality standards as your staff.
- Post-Termination Obligations: Making it crystal clear what happens to information once someone leaves the organisation.
- Right to Audit: For high-stakes partnerships, the agreement should ideally include your right to verify that the other party is actually keeping your data secret.
What Will an Auditor Look For in 6.6?
Transitioning to the 2022 standard means your evidence needs to be more than just a folder of signed papers. An auditor will likely want to see a structured process. They will check for:
- Traceability: Can you show a signed NDA for every single person who has access to your confidential data?
- Legal Soundness: Evidence that your templates were reviewed by legal professionals to ensure they are enforceable in your specific jurisdiction.
- Onboarding/Offboarding Integration: Proof that the NDA is a mandatory gatekeeper – no signature, no system access.
Why This Change Matters
The update to Annex A 6.6 proves that ISO 27001 is moving away from being a “tech-only” standard and toward a holistic business governance framework. By moving NDAs into the “People” category, the standard forces organisations to treat confidentiality as a human risk that must be managed, not just a legal box to be ticked.
As suggested by Hightable.io, the best way to handle this transition is to start with an inventory of your current agreements. Check if they cover the modern requirements of the 2022 standard, and ensure you have a “central source of truth”, like a digital register, where these can be instantly verified. This proactive step doesn’t just pass an audit; it builds a foundation of trust with your clients and partners.