Implementing ISO 27001 Annex A 6.6 is a legal safeguard requiring the definition and enforcement of confidentiality or non-disclosure agreements (NDAs) to protect sensitive organizational assets. This control ensures all parties are legally bound before accessing data, providing the business benefit of enforceable intellectual property protection and reduced liability for data leaks.
ISO 27001 Annex A Confidentiality or Non-Disclosure Agreements Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 6.6. This control demands that confidentiality or non-disclosure agreements (NDAs) are not just signed pieces of paper, but enforceable legal instruments that reflect the organisation’s specific needs for protecting information assets.
1. Differentiate NDAs by Role and Risk
Control Requirement: Identify the requirement for confidentiality or non-disclosure agreements reflecting the organisation’s needs. Required Implementation Step: Do not use a single generic NDA for everyone. Create three distinct templates: ‘Standard Staff’ (low risk), ‘Privileged Admin/Exec’ (high IP/financial risk), and ‘External Partner/Vendor’ (commercial liability). Review these with legal counsel to ensure they specifically cover the types of data (e.g., PII, source code, trade secrets) exposed to each group.
Minimum Requirement: Three distinct, legally reviewed NDA templates stored in a central repository.
2. Enforce Pre-Disclosure Signing
Control Requirement: Ensure agreements are signed before information is disclosed. Required Implementation Step: Implement a ‘No NDA, No Meeting’ protocol for external parties. Instruct reception and meeting organisers that external guests cannot enter sensitive areas or join Teams calls where confidential data is discussed without a verified, countersigned NDA on file.
Minimum Requirement: A workflow rule (e.g., in the Visitor Management System) blocking entry until NDA status is green.
3. Define ‘Confidential Information’ Explicitly
Control Requirement: Clearly define what information is to be protected. Required Implementation Step: Avoid vague definitions like “everything we discuss.” Update the NDA schedule to explicitly list categories: “Client Databases,” “Pricing Algorithms,” “Unreleased Product Designs,” and “Network Schematics.” If the definition is too broad, it may be unenforceable in court; if too narrow, you leak data legally.
Minimum Requirement: An NDA definition clause that maps directly to your Information Classification Policy levels.
4. align NDAs with Data Protection Laws
Control Requirement: Ensure compliance with relevant legislation (e.g., GDPR, DPA 2018). Required Implementation Step: Review NDA clauses to ensure they do not accidentally attempt to override statutory rights (like whistleblowing) or data subject rights. Ensure the NDA explicitly mentions responsibilities regarding the processing of Personally Identifiable Information (PII) if the counterparty is a processor.
Minimum Requirement: A ‘Data Protection’ clause within the NDA referencing the specific applicable privacy legislation.
5. Set Clear Durations and Expiry Terms
Control Requirement: Define the duration of the agreement. Required Implementation Step: Specify how long the confidentiality obligation lasts. For trade secrets, this should be “indefinite” or “perpetual.” For commercial discussions, a term of 3-5 years post-engagement is standard. Ensure the contract states that confidentiality obligations survive the termination of the business relationship.
Minimum Requirement: A specific ‘Survival’ clause in the contract extending confidentiality obligations beyond the end date.
6. Mandate Return or Destruction of Data
Control Requirement: Specify actions upon termination of the agreement. Required Implementation Step: Include a mandatory clause requiring the other party to return or cryptographically destroy all confidential data upon request or contract termination. Require them to provide a written ‘Certificate of Destruction’ signed by a director, verifying that no copies exist on backups or personal devices.
Minimum Requirement: A clause granting the right to audit the counterparty’s deletion of your data.
7. Digitise and Index Signed Agreements
Control Requirement: Maintain records of signed agreements. Required Implementation Step: Stop storing paper NDAs in filing cabinets. Use a digital signature platform (DocuSign/Adobe Sign) to capture agreements and automatically route the final PDF to a secure, searchable legal repository (e.g., SharePoint ‘Legal’ site). Tag files with the counterparty name and expiry date.
Minimum Requirement: A searchable digital registry of all active NDAs, accessible to the Legal and Procurement teams.
8. Review and Update Templates Annually
Control Requirement: Ensure agreements remain valid and enforceable. Required Implementation Step: Schedule an annual review of the NDA templates with qualified legal counsel. Laws change (e.g., restriction of non-competes), and technology changes (e.g., impact of AI on IP ownership). An NDA written in 2018 may be useless against a data leak involving Generative AI in 2026.
Minimum Requirement: Documented evidence of an annual legal review of all standard NDA templates.
9. Educate Staff on NDA Triggers
Control Requirement: Ensure staff know when an NDA is required. Required Implementation Step: Train Sales, Procurement, and HR staff on the specific triggers for issuing an NDA. They need to know that an “informal chat” about a potential partnership requires an NDA if pricing or product roadmaps are shown.
Minimum Requirement: Internal guidance documents or intranet pages explaining ‘When to use an NDA’.
10. Conduct Regular Compliance Audits
Control Requirement: Verify that NDAs are actually being signed and stored. Required Implementation Step: Sample 10 recent vendor contracts and 10 new employee files. Check if a valid, signed NDA exists for each. If you find vendors working without a contract, raise a Non-Conformity immediately. This is a common failure point in ISO 27001 audits.
Minimum Requirement: An internal audit report sampling NDA compliance across HR and Procurement.
ISO 27001 Annex A 6.6 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Agreement Signing | A green tick because the GRC tool has a blank “NDA Template” uploaded. | A template protects nothing. You need the signed PDF from the specific vendor you are sharing data with. |
| Definition of Data | Using a template from 2005 downloaded from the internet. | Does your 2005 template cover “Cloud Configuration Metadata” or “Machine Learning Training Sets”? Likely not. |
| Storage | Storing signed NDAs in email inboxes. | When the Sales Manager leaves, the NDA is lost. They must be in a central, backed-up repository. |
| Enforcement | Assuming the NDA stops them stealing data. | An NDA is just the right to sue. It doesn’t stop data theft. You still need DLP, access controls, and encryption. |
| Expiry | NDAs that expire “1 year after signing”. | If you are still working with them after 13 months, you are now sharing secrets with zero legal protection. |
| Signatory Authority | Allowing Junior Sales Reps to sign NDAs. | Only Directors or authorised delegates should bind the company to legal terms. Juniors might accidentally sign away IP rights. |
| Third Parties | Relying on the Vendor’s NDA. | The Vendor’s NDA protects them, not you. Always push to use your own template on your own paper. |
About the author
