In this ultimate how to implement guide to ISO 27001 Annex A 6.2 Terms of Employment, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Embed Specific Security Clauses in Contracts
- 2. Mandate Non-Disclosure Agreements (NDAs)
- 3. Define Intellectual Property (IP) Assignment
- 4. Clarify Acceptable Use Liabilities
- 5. Incorporate Screening Consent
- 6. Define Remote Work and BYOD Obligations
- 7. Outline Data Protection Responsibilities (GDPR)
- 8. Detail Post-Employment Responsibilities
- 9. Enforce ‘Sign Before Access’ Protocol
- 10. Review and Update Templates Annually
- ISO 27001 Annex A 6.2 SaaS / GRC Platform Implementation Failure Checklist
Implementing ISO 27001 Annex A 6.2 is a legal and contractual safeguard requiring that information security responsibilities be explicitly defined in employment agreements. This control ensures that employees and contractors are legally bound to protect sensitive data, providing the business benefit of enforceable accountability and clear liability for security breaches.
ISO 27001 Annex A Terms and Conditions of Employment Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 6.2. This control mandates that information security responsibilities are legally binding within the employment contract, ensuring that staff and contractors understand their liability before they are granted access to sensitive assets.
1. Embed Specific Security Clauses in Contracts
Control Requirement: Legal agreements must explicitly state the employee’s responsibility for information security. Required Implementation Step: Draft specific clauses in the employment contract that reference the Information Security Policy. Do not rely on a generic “obey company rules” line. The contract must explicitly state that “Failure to comply with Information Security Policies (e.g., password sharing, data exfiltration) constitutes Gross Misconduct.”
Minimum Requirement: Signed employment contracts containing specific clauses linking security breaches to disciplinary action.
2. Mandate Non-Disclosure Agreements (NDAs)
Control Requirement: Protect confidential information from unauthorised disclosure. Required Implementation Step: Require a separate, robust NDA or Confidentiality Deed to be signed prior to the first day of employment. This document must define “Confidential Information” broadly (including customer data, source code, and trade secrets) and explicitly state that the duty of confidentiality survives the termination of employment.
Minimum Requirement: A signed NDA on file for every employee and contractor, dated prior to their first login.
3. Define Intellectual Property (IP) Assignment
Control Requirement: Clarify ownership of assets created during employment. Required Implementation Step: Ensure the contract includes an aggressive “Inventions and Proprietary Rights” clause. This must state that any code, data, or documentation created by the employee using company resources or during working hours is the exclusive property of the organisation, preventing future disputes over code ownership.
Minimum Requirement: Legal confirmation that all work output is automatically assigned to the company.
