Auditing ISO 27001 Annex A 6.2 is the legal and technical verification of information security obligations embedded within employment contracts. The Primary Implementation Requirement mandates enforceable confidentiality agreements, providing the Business Benefit of legally protecting organizational assets and ensuring accountability throughout the entire personnel lifecycle.
This technical verification tool is designed for lead auditors to establish the legal enforceability of information security obligations within the employment lifecycle. Use this checklist to validate compliance with ISO 27001 Annex A 6.2 (Terms and conditions of employment).
1. Information Security Responsibilities Formalised in Contracts
Verification Criteria: Employment agreements contain explicit clauses stating the employee’s responsibility for information security and adherence to organisational policies.
Required Evidence: Sampled employment contracts (internal and contractor) showing specific security and compliance clauses.
Pass/Fail Test: If a contract lacks a written commitment to follow the organisation’s Information Security Policy, mark as Non-Compliant.
2. Confidentiality and Non-Disclosure Obligations Confirmed
Verification Criteria: Enforceable confidentiality or non-disclosure agreements (NDAs) are signed by all personnel prior to being granted access to sensitive information.
Required Evidence: Signed NDAs or confidentiality sections within the main employment contract for the current workforce.
Pass/Fail Test: If any individual has active system access without a recorded and signed confidentiality agreement, mark as Non-Compliant.
3. Post-Employment Security Obligations Validated
Verification Criteria: Terms and conditions explicitly state that confidentiality and security obligations remain in force for a defined period after the termination of employment.
Required Evidence: Contractual clauses detailing “survival of obligations” or post-termination restrictive covenants regarding data protection.
Pass/Fail Test: If the contract implies that confidentiality ends on the final day of employment, mark as Non-Compliant.
4. Legal and Regulatory Requirement Flow-down Verified
Verification Criteria: Contractual terms reflect applicable statutory and regulatory requirements, such as UK GDPR, relevant to the employee’s role and data access.
Required Evidence: Contractual references to specific data protection legislation and the employee’s role in maintaining compliance.
Pass/Fail Test: If the contract fails to mention the employee’s legal duty regarding the processing of personal data (where applicable), mark as Non-Compliant.
5. Acceptable Use Policy (AUP) Acknowledgment Evidenced
Verification Criteria: Employees have formally acknowledged the Acceptable Use Policy as a condition of their employment or continued access.
Required Evidence: Signed AUP acknowledgment forms or digital timestamped ‘accept’ logs from the HR portal or GRC tool.
Pass/Fail Test: If an employee cannot be linked to a specific version of the AUP they have agreed to, mark as Non-Compliant.
6. Intellectual Property (IP) Ownership Clauses Confirmed
Verification Criteria: Employment terms clearly define the ownership of intellectual property created by the employee during the course of their work.
Required Evidence: “Work for Hire” or “Assignment of Intellectual Property” clauses within the sampled contracts.
Pass/Fail Test: If the contract is silent on IP ownership, potentially allowing employees to claim ownership of organisational data/code, mark as Non-Compliant.
7. Disciplinary Process for Security Breaches Validated
Verification Criteria: The organisation’s disciplinary process is formally referenced in the terms of employment as a consequence of security policy violations.
Required Evidence: Employee Handbook or Contract section linking security breaches to the formal disciplinary procedure.
Pass/Fail Test: If there is no documented link between security non-compliance and disciplinary action, mark as Non-Compliant.
8. Contractor Terms Alignment Verified
Verification Criteria: Terms and conditions for contractors and temporary staff are aligned with internal employee security standards.
Required Evidence: Master Service Agreements (MSAs) or Statements of Work (SoW) with third-party agencies showing security requirement flow-down.
Pass/Fail Test: If contractors have access to the same systems as employees but under “lighter” or non-existent security terms, mark as Non-Compliant.
9. Notification of Changes to Terms Confirmed
Verification Criteria: A process exists to notify and, where necessary, re-contract personnel when significant changes to security responsibilities occur.
Required Evidence: Evidence of contract amendments, side letters, or formal digital notifications regarding updated security obligations.
Pass/Fail Test: If security responsibilities have significantly changed (e.g., due to a new regulation) but personnel were not formally notified, mark as Non-Compliant.
10. Communication of Codes of Conduct Verified
Verification Criteria: Professional codes of conduct, including ethical handling of information, are incorporated into the employment terms.
Required Evidence: Signed Code of Ethics or Code of Conduct documents that explicitly mention information integrity and confidentiality.
Pass/Fail Test: If the organisation relies on unwritten “cultural expectations” for ethical data handling without formal contractual backing, mark as Non-Compliant.
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Contractual Security | Tool checks if the “Contract” field is filled in HR software. | Auditor must read the actual clauses. Many generic contracts lack specific ISO 27001-aligned security language. |
| Confidentiality | GRC tool assumes all staff signed an NDA during onboarding. | Verify “Legacy Staff”. Employees hired before the ISMS implementation often lack updated, enforceable NDAs. |
| Post-Employment | Tool marks this as compliant if an “Offboarding Checklist” exists. | Check the contractual survival clause. A checklist is a process; the contract is the legal enforcement mechanism. |
| Disciplinary Links | Platform identifies a “Disciplinary Policy” in the folder. | Verify the cross-reference. The employment contract must point to this policy to make it legally binding. |
| IP Ownership | Tool assumes all work is company-owned by default. | Review contractor MSAs. Without specific “Assignment of IP” language, contractors may legally own the code they write. |
| Contractor Parity | Tool only tracks internal employees via HR integration. | Manual audit of “Third-party” contracts is required. GRC tools often ignore the legal terms governing “temporary” IT staff. |
| AUP Acknowledgment | Tool records a “User Read” timestamp for the policy. | Verify versioning. If the user “read” a version from 2021 but the policy was updated in 2024, the compliance is void. |
About the author
