Implementing ISO 27001 Annex A 6.2 is a legal and contractual safeguard requiring that information security responsibilities be explicitly defined in employment agreements. This control ensures that employees and contractors are legally bound to protect sensitive data, providing the business benefit of enforceable accountability and clear liability for security breaches.
ISO 27001 Annex A Terms and Conditions of Employment Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 6.2. This control mandates that information security responsibilities are legally binding within the employment contract, ensuring that staff and contractors understand their liability before they are granted access to sensitive assets.
1. Embed Specific Security Clauses in Contracts
Control Requirement: Legal agreements must explicitly state the employee’s responsibility for information security. Required Implementation Step: Draft specific clauses in the employment contract that reference the Information Security Policy. Do not rely on a generic “obey company rules” line. The contract must explicitly state that “Failure to comply with Information Security Policies (e.g., password sharing, data exfiltration) constitutes Gross Misconduct.”
Minimum Requirement: Signed employment contracts containing specific clauses linking security breaches to disciplinary action.
2. Mandate Non-Disclosure Agreements (NDAs)
Control Requirement: Protect confidential information from unauthorised disclosure. Required Implementation Step: Require a separate, robust NDA or Confidentiality Deed to be signed prior to the first day of employment. This document must define “Confidential Information” broadly (including customer data, source code, and trade secrets) and explicitly state that the duty of confidentiality survives the termination of employment.
Minimum Requirement: A signed NDA on file for every employee and contractor, dated prior to their first login.
3. Define Intellectual Property (IP) Assignment
Control Requirement: Clarify ownership of assets created during employment. Required Implementation Step: Ensure the contract includes an aggressive “Inventions and Proprietary Rights” clause. This must state that any code, data, or documentation created by the employee using company resources or during working hours is the exclusive property of the organisation, preventing future disputes over code ownership.
Minimum Requirement: Legal confirmation that all work output is automatically assigned to the company.
4. Clarify Acceptable Use Liabilities
Control Requirement: Ensure users know the boundaries of their digital behaviour. Required Implementation Step: Attach the Acceptable Use Policy (AUP) as an addendum to the contract. The employee must acknowledge that they have no expectation of privacy on corporate systems and that the organisation reserves the right to monitor traffic, emails, and file transfers to detect security incidents.
Minimum Requirement: A signed acknowledgement that corporate systems are monitored and not for personal use.
5. Incorporate Screening Consent
Control Requirement: Legitimise the background checks required by Control 6.1. Required Implementation Step: Include a clause where the employee grants ongoing consent for background checks (e.g., criminal record or credit checks) throughout their tenure, not just at the start. This legally covers you for “Triggered Re-screening” if they move to a high-risk role later.
Minimum Requirement: Contractual consent for initial and periodic background verification.
6. Define Remote Work and BYOD Obligations
Control Requirement: Extend contractual security to non-corporate environments. Required Implementation Step: If the role involves remote work, the contract must stipulate the physical security standards of the home office (e.g., “Company equipment must not be used by family members”). If BYOD is permitted, include a waiver allowing the company to remotely wipe corporate data from personal devices.
Minimum Requirement: Specific terms governing the security of assets outside the physical office perimeter.
7. Outline Data Protection Responsibilities (GDPR)
Control Requirement: Ensure staff handle PII in accordance with the law. Required Implementation Step: Explicitly list the employee’s duties under the UK GDPR or Data Protection Act 2018. They must acknowledge that they are personally liable for reporting data breaches immediately and must not process customer data for personal reasons (e.g., looking up a celebrity client).
Minimum Requirement: A clause strictly prohibiting the processing of PII outside of authorised business workflows.
8. Detail Post-Employment Responsibilities
Control Requirement: Ensure security obligations persist after the employee leaves. Required Implementation Step: The contract must clearly state that the return of assets (laptops, keys, tokens) is mandatory on the final day. It should also forbid the “poaching” of clients or staff and the retention of any company data (e.g., client lists) on personal drives after exit.
Minimum Requirement: Clear exit terms regarding asset return and data destruction.
9. Enforce ‘Sign Before Access’ Protocol
Control Requirement: Legal coverage must precede risk exposure. Required Implementation Step: Instruct HR and IT that no account credentials (AD, Okta, Email) are to be issued until the signed contract is verified in the personnel file. The “First Day” onboarding process is too late; the risk begins the moment they log in.
Minimum Requirement: Workflow evidence showing contracts are signed before IT provisioning tickets are resolved.
10. Review and Update Templates Annually
Control Requirement: Ensure terms remain relevant to the current threat landscape. Required Implementation Step: Consult employment law specialists annually to update contract templates. For example, older contracts may not adequately cover “Shadow IT” or the use of Generative AI tools. Update the standard terms to reflect new technologies and risks.
Minimum Requirement: Evidence of annual legal review of the standard employment contract template.
ISO 27001 Annex A 6.2 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Security Clauses | Uploading a standard employment contract template to the GRC tool. | A template is not a signed contract. Auditors need to see the signed document for specific sampled employees, not the blank form. |
| NDA Enforcement | A single line in the handbook saying “keep things secret”. | Without a specific, legally tested NDA, you cannot sue for IP theft. Handbooks are often not contractually binding. |
| Sign Before Access | Marking the control as “Implemented” because HR has a process. | Does IT actually check with HR before creating the AD account? Often, the user has been working for a week before they sign anything. |
| Post-Employment | Assuming the “Exit Checklist” covers legal risks. | Checklists are administrative. If the contract doesn’t explicitly state that confidentiality survives termination, your data is unprotected the day they leave. |
| Remote Work | Generic contracts that don’t mention home Wi-Fi or BYOD. | If you don’t legally mandate home security standards, you cannot discipline an employee for losing data via an insecure personal router. |
| IP Assignment | Relying on “implied terms” of employment. | In many jurisdictions, if a developer writes code at home on a Sunday, they own it unless your contract explicitly says otherwise. |
| Contractor Gaps | Using the same lightweight contract for a cleaner and a DevOps consultant. | Contractors with root access need stronger liability clauses than permanent staff, as you have less direct control over them. |
About the author
