In this ultimate how to implement guide to ISO 27001 Annex A 6.6 Confidentiality or Non-disclosure Agreements, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Differentiate NDAs by Role and Risk
- 2. Enforce Pre-Disclosure Signing
- 3. Define ‘Confidential Information’ Explicitly
- 4. align NDAs with Data Protection Laws
- 5. Set Clear Durations and Expiry Terms
- 6. Mandate Return or Destruction of Data
- 7. Digitise and Index Signed Agreements
- 8. Review and Update Templates Annually
- 9. Educate Staff on NDA Triggers
- 10. Conduct Regular Compliance Audits
- ISO 27001 Annex A 6.6 SaaS / GRC Platform Implementation Failure Checklist
Implementing ISO 27001 Annex A 6.6 is a legal safeguard requiring the definition and enforcement of confidentiality or non-disclosure agreements (NDAs) to protect sensitive organizational assets. This control ensures all parties are legally bound before accessing data, providing the business benefit of enforceable intellectual property protection and reduced liability for data leaks.
ISO 27001 Annex A Confidentiality or Non-Disclosure Agreements Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 6.6. This control demands that confidentiality or non-disclosure agreements (NDAs) are not just signed pieces of paper, but enforceable legal instruments that reflect the organisation’s specific needs for protecting information assets.
1. Differentiate NDAs by Role and Risk
Control Requirement: Identify the requirement for confidentiality or non-disclosure agreements reflecting the organisation’s needs. Required Implementation Step: Do not use a single generic NDA for everyone. Create three distinct templates: ‘Standard Staff’ (low risk), ‘Privileged Admin/Exec’ (high IP/financial risk), and ‘External Partner/Vendor’ (commercial liability). Review these with legal counsel to ensure they specifically cover the types of data (e.g., PII, source code, trade secrets) exposed to each group.
Minimum Requirement: Three distinct, legally reviewed NDA templates stored in a central repository.
2. Enforce Pre-Disclosure Signing
Control Requirement: Ensure agreements are signed before information is disclosed. Required Implementation Step: Implement a ‘No NDA, No Meeting’ protocol for external parties. Instruct reception and meeting organisers that external guests cannot enter sensitive areas or join Teams calls where confidential data is discussed without a verified, countersigned NDA on file.
Minimum Requirement: A workflow rule (e.g., in the Visitor Management System) blocking entry until NDA status is green.
3. Define ‘Confidential Information’ Explicitly
Control Requirement: Clearly define what information is to be protected. Required Implementation Step: Avoid vague definitions like “everything we discuss.” Update the NDA schedule to explicitly list categories: “Client Databases,” “Pricing Algorithms,” “Unreleased Product Designs,” and “Network Schematics.” If the definition is too broad, it may be unenforceable in court; if too narrow, you leak data legally.
Minimum Requirement: An NDA definition clause that maps directly to your Information Classification Policy levels.
