4. Legal and Regulatory Requirement Flow-down Verified

Verification Criteria: Contractual terms reflect applicable statutory and regulatory requirements, such as UK GDPR, relevant to the employee's role and data access. Required Evidence: Contractual references to specific data protection legislation and the employee's role in maintaining compliance.

5. Acceptable Use Policy (AUP) Acknowledgment Evidenced

Verification Criteria: Employees have formally acknowledged the Acceptable Use Policy as a condition of their employment or continued access. Required Evidence: Signed AUP acknowledgment forms or digital timestamped 'accept' logs from the HR portal or GRC tool.

6. Intellectual Property (IP) Ownership Clauses Confirmed

Verification Criteria: Employment terms clearly define the ownership of intellectual property created by the employee during the course of their work. Required Evidence: "Work for Hire" or "Assignment of Intellectual Property" clauses within the sampled contracts.

7. Disciplinary Process for Security Breaches Validated

Verification Criteria: The organisation’s disciplinary process is formally referenced in the terms of employment as a consequence of security policy violations. Required Evidence: Employee Handbook or Contract section linking security breaches to the formal disciplinary procedure.

8. Contractor Terms Alignment Verified

Verification Criteria: Terms and conditions for contractors and temporary staff are aligned with internal employee security standards. Required Evidence: Master Service Agreements (MSAs) or Statements of Work (SoW) with third-party agencies showing security requirement flow-down.

9. Notification of Changes to Terms Confirmed

Verification Criteria: A process exists to notify and, where necessary, re-contract personnel when significant changes to security responsibilities occur. Required Evidence: Evidence of contract amendments, side letters, or formal digital notifications regarding updated security obligations.

10. Communication of Codes of Conduct Verified

Verification Criteria: Professional codes of conduct, including ethical handling of information, are incorporated into the employment terms. Required Evidence: Signed Code of Ethics or Code of Conduct documents that explicitly mention information integrity and confidentiality.

ISO 27001 Annex A 6.2 Audit Checklist [+ Templates]

Q: 1. Information Security Responsibilities Formalised in Contracts

Verification Criteria: Employment agreements contain explicit clauses stating the employee’s responsibility for information security and adherence to organisational policies. Required Evidence: Sampled employment contracts (internal and contractor) showing specific security and compliance clauses.

Q: 2. Confidentiality and Non-Disclosure Obligations Confirmed

Verification Criteria: Enforceable confidentiality or non-disclosure agreements (NDAs) are signed by all personnel prior to being granted access to sensitive information. Required Evidence: Signed NDAs or confidentiality sections within the main employment contract for the current workforce.

Q: 3. Post-Employment Security Obligations Validated

Verification Criteria: Terms and conditions explicitly state that confidentiality and security obligations remain in force for a defined period after the termination of employment. Required Evidence: Contractual clauses detailing "survival of obligations" or post-termination restrictive covenants regarding data protection.

In this ultimate how to audit guide to ISO 27001 Annex A 6.2 Terms of Employment, you will learn directly from an ISO 27001 Lead Auditor:

10 Key Audit Steps
Verification Criteria
Required Evidence
The Pass / Fail Test

I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.

Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.

1. Information Security Responsibilities Formalised in Contracts
2. Confidentiality and Non-Disclosure Obligations Confirmed
3. Post-Employment Security Obligations Validated
4. Legal and Regulatory Requirement Flow-down Verified
5. Acceptable Use Policy (AUP) Acknowledgment Evidenced
6. Intellectual Property (IP) Ownership Clauses Confirmed
7. Disciplinary Process for Security Breaches Validated
8. Contractor Terms Alignment Verified
9. Notification of Changes to Terms Confirmed
10. Communication of Codes of Conduct Verified

1. Information Security Responsibilities Formalised in Contracts

Auditing ISO 27001 Annex A 6.2 is the legal and technical verification of information security obligations embedded within employment contracts. The Primary Implementation Requirement mandates enforceable confidentiality agreements, providing the Business Benefit of legally protecting organizational assets and ensuring accountability throughout the entire personnel lifecycle.

Verification Criteria: Employment agreements contain explicit clauses stating the employee’s responsibility for information security and adherence to organisational policies.

Required Evidence: Sampled employment contracts (internal and contractor) showing specific security and compliance clauses.

Pass/Fail Test: If a contract lacks a written commitment to follow the organisation’s Information Security Policy, mark as Non-Compliant.

2. Confidentiality and Non-Disclosure Obligations Confirmed

Verification Criteria: Enforceable confidentiality or non-disclosure agreements (NDAs) are signed by all personnel prior to being granted access to sensitive information.

Required Evidence: Signed NDAs or confidentiality sections within the main employment contract for the current workforce.

Pass/Fail Test: If any individual has active system access without a recorded and signed confidentiality agreement, mark as Non-Compliant.

3. Post-Employment Security Obligations Validated

Verification Criteria: Terms and conditions explicitly state that confidentiality and security obligations remain in force for a defined period after the termination of employment.

Required Evidence: Contractual clauses detailing “survival of obligations” or post-termination restrictive covenants regarding data protection.

Pass/Fail Test: If the contract implies that confidentiality ends on the final day of employment, mark as Non-Compliant.

READ THE FULL ARTICLE

Access to Business and Consultant Toolkit Members Only.

Get the Toolkit

Members Login

Table of contents

1. Information Security Responsibilities Formalised in Contracts

2. Confidentiality and Non-Disclosure Obligations Confirmed

3. Post-Employment Security Obligations Validated