ISO 27001:2022 Annex A Control 6.6

Explaining Annex A Control 6.6 Confidentiality or non-disclosure agreements

ISO 27001 Control 6.6 requires organizations to establish, document, and periodically review Confidentiality or Non-Disclosure Agreements (NDAs) to protect sensitive information. These agreements ensure that personnel, contractors, and other relevant external parties understand and formally acknowledge their responsibility to maintain confidentiality.

Iso 27001 Annex A Control 6.6 Nda

Control Type

  • Preventive

Information Security Properties

  • Confidentiality

Cybersecurity Concepts

  • Protect

Operational Capabilities

  • Human Resource Security
  • Information Protection
  • Supplier Relationships

Security Domains

  • Governance and Ecosystem

Objective of Control 6.6

The main objective of this control is to ensure that all personnel and external parties who have access to confidential information understand, acknowledge, and comply with legally binding confidentiality obligations.

Implementing this control, your organization can:

  • Minimize the risk of information leakage, whether intentional or accidental.
  • Protect trade secrets, business strategies, and sensitive operational data.
  • Ensure compliance with industry regulations regarding data protection and privacy.
  • Prevent unauthorized use or disclosure of critical business or customer information.
  • Create a legal foundation to take action against individuals or entities that breach confidentiality agreements.

Purpose of Control 6.6

The purpose of Control 6.6 is to define and enforce clear confidentiality obligations for employees, third-party contractors, suppliers, and other stakeholders who may access your organization’s sensitive information.

A well-structured NDA establishes:

  • What information is confidential and should be protected.
  • Who is bound by the agreement and their specific responsibilities.
  • The permitted use of confidential information and any restrictions.
  • Legal consequences in the event of unauthorized disclosure or misuse.
  • Procedures for reporting and addressing breaches of confidentiality.

Main Elements of Confidentiality or Non-Disclosure Agreements

A robust NDA should clearly outline the following elements to align with ISO 27001 requirements:

1. Definition of Confidential Information

  • Clearly specify what constitutes confidential or proprietary information.
  • Examples include trade secrets, financial records, business strategies, source code, customer data, and intellectual property.
  • Information classification levels (e.g., Public, Internal Use Only, Confidential, Restricted) should be included.

2. Duration of Confidentiality Obligation

  • Define how long the confidentiality obligation lasts.
  • Some NDAs may require confidentiality indefinitely, while others are limited to a specific timeframe (e.g., five years after employment ends).

3. Actions Upon Termination

  • Specify the steps required when a contract ends or an employee leaves the organization.
  • These may include:
    • Returning all confidential documents, digital files, and assets.
    • Securely destroying sensitive information if it is no longer needed.

4. Responsibilities of the Signatory

  • Clearly define what the individual or entity must do to protect confidential information.
  • This can include secure handling, restricted access, and data encryption requirements.

5. Ownership and Intellectual Property Rights

  • Clarify who owns the confidential information and any intellectual property developed during an engagement.
  • Prevent unauthorized claims of ownership over proprietary assets.

6. Permitted and Restricted Use

  • Outline how the confidential information can be used.
  • Define any restrictions, such as:
    • Prohibiting sharing with third parties without written permission.
    • Limiting use to specific business purposes outlined in the agreement.

7. Right to Audit and Monitor Compliance

  • Specify if and how your organization can audit a signatory’s activities involving confidential information.
  • This is essential in highly sensitive environments where regular monitoring is required.

8. Breach Notification and Reporting

  • Establish a process for reporting unauthorized disclosure of confidential information.
  • Define response actions, including:
    • Internal investigations.
    • Legal actions against the violating party.
    • Security measures to mitigate further risk.

9. Information Disposal at Termination

  • Detail the steps to be followed when the NDA ends, including:
    • Returning, deleting, or securely destroying confidential documents.
    • Ensuring data is not stored in personal or unauthorized locations.

10. Consequences of Non-Compliance

  • Clearly state penalties for breaking the agreement, such as:
    • Termination of employment or contract.
    • Fines or legal action if damages occur due to a breach.

Implementation Steps

To comply with Control 6.6, your organization should take the following actions:

1. Identify Confidential Information

  • Determine which types of data require NDAs.
  • Conduct a risk assessment to classify information based on sensitivity.

2. Draft Legally Binding NDAs

  • Work with legal counsel to create NDAs that meet business, security, and regulatory needs.
  • Ensure the agreements are clear, specific, and enforceable.

3. Require NDAs Before Granting Access

  • Make NDA signing a mandatory condition for employees, vendors, and third parties before accessing confidential data.

4. Regularly Review and Update Agreements

  • Conduct annual reviews to keep NDAs up to date with new legal or security requirements.
  • Modify agreements if business operations, suppliers, or regulations change.

5. Monitor Compliance and Enforce Agreements

  • Conduct random audits to verify compliance with NDAs.
  • Implement a clear procedure for handling breaches.

Legal Considerations

Your NDAs must comply with:

  • Regional data protection laws (e.g., GDPR, CCPA).
  • Industry regulations (e.g., HIPAA for healthcare, PCI DSS for financial data).
  • Contractual obligations with clients and partners.

Relevant ISO 27001 Controls

Control 6.6 is complemented with the following ISO 27001 controls:

  • Control 5.31 – Legal, regulatory, and contractual requirements.
  • Control 5.32 – Intellectual property rights.
  • Control 5.33 – Protection of records.
  • Control 5.34 – Privacy and protection of personally identifiable information (PII).
  • Control 6.5 – Responsibilities after termination or change of employment.

Templates to Assist with Control 6.6

Your organization can use pre-built templates to streamline NDA implementation:

  • Confidentiality Statement Template (NDA Template) – Covers confidentiality obligations for employees.
  • Third-Party NDA Template – Ensures vendors and contractors protect sensitive data.
  • Mutual NDA Template – Used when both parties share confidential information.
  • Intellectual Property NDA – Protects proprietary assets during collaborations.
Control 6.5
ISO 27001 overview
Control 6.7