ISO 27001:2022 Annex A 6.2 Terms and conditions of employment

In this guide, I will show you exactly how to implement ISO 27001 Annex A 6.2 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 6.2 Terms and Conditions of Employment

ISO 27001 Annex A 6.2 requires that contractual agreements with employees and contractors state their responsibilities for information security. This control ensures that security isn’t just a “request” but a legally binding obligation from the first day of employment. The goal is to provide a legal framework that allows the organization to enforce its security policies and take action if they are violated.

Core requirements for compliance include:

Contractual Binding: Security responsibilities must be included in the formal employment contract or agreement. It is not enough for them to be in a separate handbook that hasn’t been legally “signed into.”
Confidentiality & Non-Disclosure: Contracts must explicitly state the employee’s duty regarding confidentiality and the protection of intellectual property, even after they leave the company.
Policy Adherence: The terms should require employees to follow the organization’s Information Security Policy and any topic-specific policies relevant to their role.
Disciplinary Process Link: The contract must mention that a violation of security policies can lead to the organization’s formal disciplinary process (linked to Annex A 6.4).
100% Signature Rate: For an audit, every single person in the scope (including temporary staff and contractors) must have a signed agreement on file that includes these security terms.

Audit Focus: Auditors will look for “The Legal Link”:

Contract Templates: “Show me your standard employment contract template. Where does it mention Information Security?”
Sample Verification: “Here are three random employees hired this year. Show me their signed contracts proving they agreed to these security terms.”
Third-Party Coverage: Auditors will check if contractors and “Gig economy” workers are bound by the same (or stricter) confidentiality terms as full-time staff.

Employment Security Checklist (Audit Prep):

Contract Element	ISO 27001 Requirement	Compliance Justification	ISO 27001:2022 Mapping
Confidentiality Clause	Mandatory.	Prevents unauthorised data disclosure and protects proprietary trade secrets.	6.6 (Confidentiality or NDAs)
Intellectual Property	Ownership must be defined.	Ensures the organisation retains legal ownership of all work created by personnel.	5.31 (Legal and regulatory requirements)
Acceptable Use	Reference to AUP policy.	Sets legally binding boundaries for the use of organisational assets and hardware.	5.10 (Acceptable use of information)
Post-Termination	Ongoing obligations.	Ensures confidentiality and IP obligations survive the end of the employment relationship.	6.5 (Responsibilities after termination)
Sanctions	Link to Disciplinary Policy.	Establishes the legal framework required to enforce security rules and policies.	6.4 (Disciplinary process)

What is ISO 27001 Annex A 6.2 ?
Watch the ISO 27001 Annex A 6.2 Tutorial
ISO 27001 Annex A 6.2 Explainer Video
ISO 27001 Annex A 6.2 Podcast
ISO 27001 Annex A 6.2 Implemantation Guidance
How to implement ISO 27001 Annex A 6.2
ISO 27001 Annex A 6.2 Implementation Checklist
ISO 27001 Annex A 6.2 Audit Checklist
How to pass the audit of ISO 27001 Annex A 6.2
Documentation Location Guide
What the auditor will check
Top 3 ISO 27001 Annex A 6.2 mistakes and how to avoid them
Applicability of ISO 27001 Annex A 6.2 across different business models.
Fast Track ISO 27001 Annex A 6.2 Compliance with the ISO 27001 Toolkit
ISO 27001 Annex A 6.2 FAQ
Related ISO 27001 Controls
Further Reading
ISO 27001 Controls and Attribute values

What is ISO 27001 Annex A 6.2 ?

Terms of Employment are the conditions and agreements that define the relationship between an employer and an employee. These terms typically outline the rights and responsibilities of both parties.

ISO 27001 Annex A 6.2 Terms and Conditions Of Employment is an ISO 27001 control that requires an organisation to have contracts in place with employees that set out their responsibilities for information security.

ISO 27001 Annex A 6.2 Purpose

The purpose of ISO 27001 Annex A 6.2 is to ensure that employees are fully aware of their information security responsibilities in relation to their role.

ISO 27001 Annex A 6.2 Definition

ISO 27001 defines ISO 27001 Terms and Conditions of Employment as:

The employment contractual agreements should state the personnel’s and the organisations responsibilities for information security.
ISO 27001:2022 Annex A 6.2 Terms and Conditions Of Employment

Watch the ISO 27001 Annex A 6.2 Tutorial

In the video ISO 27001 Terms and Conditions of Employment Explained – ISO27001:2022 Annex A 6.2 I show you how to implement it and how to pass the audit.

ISO 27001 Annex A 6.2 Explainer Video

In this beginner’s guide to ISO 27001 Annex A 6.2 Terms and Conditions of Employment, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.

ISO 27001 Annex A 6.2 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 6.2 Terms and Conditions of Employment. The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex A 6.2 Implemantation Guidance

General Guidance

You are going to have to

engage with a legal professional for professional advice
engage with a HR professional for professional advice
put in place contracts that include the personnel and the organisations responsibilities for information security
ensure you have contractual agreements with all personnel that are legally binding
ensure you adhere to all applicable laws and regulations

ISO 27001 Policies

The contract should consider your ISO 27001 policies. That is the main information security policy and any ISO 27001 topic specific policies. Policies are statements of what you do for information security and what is expected of people.

What to include in the employment contract

The following can be considered:

NDA, non disclosure agreements
confidentiality agreements
legal rights

The following are guidance and I am not really sure they sit well in contractual agreements but to be aware that the standard has them as guidance

Classification of information
management of information
management of assets
information processing facilities
information services
handling information you get from third parties and interested parties
what actions will be taken if you don’t follow the information security requirements

Communication

You will communicate roles and responsibilities for information security during the pre employment phase of your process.

Agreement

Information security requirements should be agreed which usually is the case of the employee signing the contract and you having a copy of the contract on file.

Appropriateness of terms

You want to make sure that any terms and requirements are appropriate to the person, their role, what they do and the access they have.

Review of terms

As a process of continual improvement be sure to review the terms you have, especially if you change your policies or the laws, or regulations change.

Non Disclosure Agreement ISO 27001

There are certain things that will remain in place after employment and this is usually defined for a set period of time. Consider things like an ISO 27001 non disclosure agreement and confidentiality agreement that you may want in place for 12 months post employment ending.

Employee hand book /code of conduct

Having an employee hand book or code of conduct is a fantastic way to share and communicate information security responsibilities and key messages and I have seen this work well in many organisations.

Employees that come from agency / third party

If you have employees that you do not employ directly but rather you use and agency of third party then the agency of third party should really enter into a contract on behalf of those people.

How to implement ISO 27001 Annex A 6.2

Implementing ISO 27001 Annex A 6.2 requires a structured approach to integrating security obligations into the legal relationship between the organisation and its personnel. By formalising these responsibilities within contracts and non-disclosure agreements, you establish a legally binding framework that protects information assets throughout the entire employment lifecycle.

1. Formalise Information Security Clauses in Contracts

Work with Legal and HR departments to ensure that every employment agreement contains explicit security mandates rather than generic references.

Incorporate a mandatory requirement for personnel to adhere to the organisation’s Information Security Policy (ISP) and Acceptable Use Policy (AUP).
Define the legal and regulatory consequences of security breaches, linking them directly to the organisation’s formal Disciplinary Process.
Specify the ownership of intellectual property (IP) and data created during the term of employment.
Ensure clauses cover the requirement to report security events or suspected weaknesses immediately.

2. Provision Enforceable Non-Disclosure Agreements (NDAs)

Identify and document specific confidentiality requirements that protect sensitive data before access is granted to any internal or external party.

Draft standalone NDAs or confidentiality clauses that define exactly what constitutes “Confidential Information.”
Mandate that these obligations “survive” the termination of employment, remaining in force for a defined period or indefinitely.
Require signed acknowledgements from all third-party contractors and freelance consultants prior to provisioning their IAM roles.
Store all signed digital agreements in a centralised, tamper-proof document management system.

3. Document Responsibilities for Asset Handling

Clearly define the expected conduct for the use, return, and protection of organisational physical and digital assets.

Include specific terms regarding the use of Multi-Factor Authentication (MFA) and the protection of authentication credentials.
Establish the “Clear Desk and Clear Screen” requirements within the contractual terms of employment.
Formalise the legal obligation to return all hardware, security fobs, and ID badges upon the cessation of the business relationship.
Outline the restrictions on the use of unauthorised software or personal cloud storage for company data.

4. Formalise the Disciplinary Process Linkage

Ensure that personnel are aware that security failures are treated as professional performance issues subject to formalised sanctions.

Integrate the Security Disciplinary Policy with the standard HR disciplinary handbook to ensure consistency.
Communicate the “graduated” approach to sanctions, ranging from mandatory retraining for minor negligence to termination for gross misconduct.
Provide evidence of this linkage during the initial security induction training for all new starters.

5. Audit and Review Contractual Compliance

Perform regular reviews of personnel files and third-party contracts to ensure all security terms remain current and signed.

Conduct an annual review of contract templates to align with new legal requirements, such as GDPR or updated ISO 27001 control sets.
Verify that all active personnel have a signed, valid NDA on record through a cross-reference audit with the Register of Entrants (ROE).
Revoke access rights immediately for any individual whose contractual status changes or whose agreement has expired.

ISO 27001 Annex A 6.2 Implementation Checklist

1. Develop a Standardised Employment Contract Template

Challenges

Ensuring the template covers all necessary information security requirements.
Keeping the template updated with legal and regulatory changes.

Solutions

Involve legal and HR professionals in the development process.
Regularly review and update the template based on legal and regulatory changes.

2. Include Clear Information Security Clauses

Challenges

Communicating complex security concepts in an understandable manner.
Ensuring all employees understand and agree to their information security obligations.

Solutions

Use clear and concise language.
Provide employee training and awareness sessions on information security policies and procedures.
Obtain signed acknowledgments from employees confirming their understanding of their obligations.

3. Address Confidentiality Obligations

Challenges

Defining and classifying confidential information.
Ensuring employees understand the consequences of breaching confidentiality.

Solutions

Develop a clear ISO 27001 data classification policy.
Include specific clauses regarding confidentiality and non-disclosure agreements (NDAs).
Implement appropriate disciplinary measures for confidentiality breaches.

4. Outline Acceptable Use of Company Resources

Challenges

Defining acceptable use of company devices, systems, and networks.
Monitoring employee activity without violating privacy rights.

Solutions

Develop and communicate a clear ISO 27001 acceptable use policy (AUP).
Implement appropriate monitoring and logging controls.
Provide regular training on the AUP and its implications.

5. Define Employee Responsibilities for Data Protection

Challenges

Ensuring employees understand their role in protecting personal data.
Implementing effective data protection controls across all departments.

Solutions

Provide data protection training to all employees.
Implement data protection policies and procedures, such as data minimisation and appropriate data handling practices.
Assign data protection roles and responsibilities to specific individuals or teams.

6. Address Remote Work Considerations

Challenges

Ensuring the security of remote work environments.
Managing the use of personal devices for work purposes.

Solutions

Develop and implement an ISO 27001 remote work policy that addresses security risks.
Provide employees with secure remote access solutions.
Implement appropriate security measures for personal devices used for work.

7. Incorporate Data Breach Notification Procedures

Challenges

Ensuring employees know how to report suspected data breaches.
Implementing a timely and effective incident response process.

Solutions

Establish clear reporting procedures for suspected data breaches.
Provide training to employees on how to recognise and report suspicious activity.
Implement an incident response plan to effectively handle data breaches.

8. Review and Update Employment Contracts Regularly

Challenges

Keeping track of changes in legislation and industry best practices.
Ensuring all employees have the latest version of the employment contract.

Solutions

Conduct regular reviews of employment contracts to ensure compliance with legal and regulatory requirements.
Communicate any changes to employees in a timely manner.

9. Obtain Employee Acknowledgement

Challenges

Ensuring employees understand and agree to the terms and conditions of their employment.
Tracking employee acknowledgments of contract terms.

Solutions

Require employees to sign an acknowledgment form confirming their understanding of the employment contract.
Maintain records of all employee acknowledgments.

10. Conduct Internal Audits and Reviews

Challenges:

Ensuring compliance with employment contract terms and information security policies.
Identifying and addressing any gaps in the implementation of controls.

Solutions:

Conduct regular internal audits to assess compliance with employment contract terms.
Review and analyse audit findings to identify areas for improvement.
Implement corrective and preventive actions to address any identified issues.

ISO 27001 Annex A 6.2 Audit Checklist

How to audit ISO 27001 Annex A 6.2 Terms and Conditions Of Employment

1. Review Employment Contracts

Focus on Confidentiality Clauses: Ensure they explicitly state employee obligations to protect confidential information (customer data, intellectual property, trade secrets).
Check for Data Protection Clauses: Verify the contract addresses employee responsibilities for handling personal data, including compliance with relevant data protection regulations (e.g., GDPR).
Examine Non-Disclosure Agreements (NDAs): Determine if appropriate NDAs are in place for employees accessing highly sensitive information.

2. Assess Employee Handbooks

Look for Information Security Policies: Verify the handbook includes policies on data security, acceptable use of IT resources, and social media usage.
Check for Data Breach Reporting Procedures: Ensure employees are aware of the procedures for reporting suspected or actual data breaches.
Review Disciplinary Procedures: Confirm the handbook outlines consequences for violating information security policies.

3. Verify Background Checks and Screening

Evaluate the thoroughness of background checks: Determine if appropriate checks (e.g., criminal records, credit checks, reference checks) are conducted for relevant roles.
Assess the screening process: Ensure the process is fair, consistent, and aligned with relevant laws and regulations.

4. Examine Employee Training

Review training records: Ensure employees receive mandatory training on information security awareness, data protection, and their specific roles and responsibilities.
Assess training effectiveness: Determine if training is engaging, relevant, and effectively communicated to employees.
Check for ongoing training: Verify that employees receive regular refresher training to maintain awareness and knowledge.

5. Investigate Data Access Control

Review access controls: Ensure employees only have access to the data they need to perform their job duties.
Assess the “need-to-know” principle: Determine if the principle is applied consistently when granting access to sensitive data.
Review access reviews: Confirm that access rights are regularly reviewed and updated to reflect current job roles and responsibilities.

6. Evaluate Remote Work Practices

Assess security measures for remote work: Determine if appropriate security measures are in place for employees working from home, such as secure remote access, VPNs, and encrypted devices.
Review policies for home office security: Verify that employees are aware of and comply with security requirements for working from home.

7. Investigate BYOD Policies

Review Bring Your Own Device (BYOD) policies: Determine if clear policies are in place for employees using personal devices for work purposes.
Assess security measures for BYOD devices: Ensure appropriate security measures are in place for BYOD devices, such as mobile device management (MDM) software and encryption.

8. Interview Key Personnel

Interview HR personnel: Gather information on recruitment, onboarding, training, and disciplinary procedures.
Interview IT personnel: Understand how access controls are managed, how remote work is supported, and how BYOD devices are secured.
Interview employees: Obtain employee feedback on information security awareness, training, and their overall understanding of their responsibilities.

9. Review Incident Response Procedures

Assess employee involvement in incident response: Determine if employees are aware of their roles and responsibilities in the event of a data breach or other security incident.
Review employee training on incident response: Ensure employees receive training on how to identify, report, and respond to security incidents.

10. Document Audit Findings

Record all audit findings: Document any non-conformances, observations, and recommendations for improvement.
Prepare an audit report: Summarise the audit findings and provide recommendations for corrective and preventive actions.

How to pass the audit of ISO 27001 Annex A 6.2

To comply with ISO 27001 Annex A 6.2 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:

Write, sign off, implement and communicate your topic specific information security policies
Write, sign off, implement and communicate your contract of employment template under the guidance and advice of a HR professional and a legal professional
Implement your contract of employment with personnel
Implement your communication plan to communicate to relevant and interested parties
Ensure that the contract of employment meets all laws as well as local laws and regulations
Implement a process of internal audit that checks that the appropriate controls are in place and effective and where they are not follow the continual improvement process to address the risks

To pass an audit of ISO 27001 Annex A 6.2 you are going to make sure that you have followed the steps above in how to comply.

Documentation Location Guide

Topic	Document Location	Why?
Confidentiality (NDA)	Employment Contract	Legal protection requires a signature.
Disciplinary Process	Employment Contract	Must be legally binding for termination.
Background Check Consent	Offer Letter / Contract	Legal requirement to process data.
Password Policy	Employee Handbook	Technology changes faster than contracts.
Clean Desk Policy	Employee Handbook	Operational rule, not a legal term.
Acceptable Use (AUP)	Handbook (Signed)	Needs regular updates (e.g., AI use).

What the auditor will check

The audit is going to check a number of areas for compliance with Annex A 6.2. Lets go through them

1. That you have a documented contract of employment

The auditor will meet with the HR team and look for a documented contract of employment template. They will then seek evidence that the contract of employment is in place by reviewing a sample of employees. They will be checking that the terms of this clause have been met.

2. That you have communicated the terms of employment

The process needs to be communicated to relevant and interested parties. The audit will check that the training and awareness plan and the communication plan and look for past evidence that this has happened.

3. That people are aware of their responsibilities

The audit is going to check for documented processes, documented topic specific policy and these have been communicated and people have been trained on what is required of them. It will check if people have a contract with terms and they understand and accept them.

Top 3 ISO 27001 Annex A 6.2 mistakes and how to avoid them

In my experience, the top 3 mistakes people make for ISO 27001 Terms and Conditions of Employment are

1. You have no evidence that anything actually happened

You need to keep records and minutes of everything. You need a paper trail to show it was done. Make sure you have updated contracts for all employees and personnel and that they meet the requirements of this control. In smaller organisations and start ups it is often the case that this is not in place.

2. One or more members of your team haven’t done what they should have done

Prior to the audit check that all members of the team have done what they should have. Do they know where the process documents are in relation to the employment process? Has everyone got a contract and received and accepted terms of employment? Do a pre audit as close to the audit as you can that checks the contract and terms of employment process and the HR team that will be involved. Assuming they are doing the right thing is a recipe for disaster. Check!

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Applicability of ISO 27001 Annex A 6.2 across different business models.

Business Type	Applicability	Examples of Control Implementation
Small Businesses	Highly applicable for setting the legal baseline for new hires. The focus is on ensuring that even in small teams, there is a clear contractual obligation for employees to follow security rules from day one.	Updating standard offer letters to include a clause stating that employment is subject to a satisfactory background check. Including a direct reference to the “Acceptable Use Policy” within the main employment contract. Defining the employee’s responsibility to report security incidents as a core contractual duty.
Tech Startups	Critical for protecting high-value intellectual property (IP) and ensuring developer accountability. Compliance involves ensuring that “contractors” and “full-time staff” have consistent security obligations.	Including specialized “Intellectual Property Assignment” clauses to ensure all code written by developers belongs to the company. Specifying the right to perform periodic security audits or screen checks as part of the terms of service for contractors. Explicitly stating that a breach of information security policies may result in disciplinary action up to and including termination.
AI Companies	Vital for protecting unique model weights, training datasets, and proprietary research. Focus is on legal protections that prevent the unauthorized sharing of sensitive AI-specific IP.	Mandating that researchers sign terms that explicitly define “model weights and biases” as confidential company assets. Including post-termination restrictions that prohibit the use of proprietary company data for personal AI side-projects or future roles. Requiring employees to acknowledge their specific duties regarding the ethical use and protection of sensitive training data within their contract.

Fast Track ISO 27001 Annex A 6.2 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 6.2 (Terms and conditions of employment), the requirement is to ensure that contractual agreements with employees and contractors state their responsibilities for information security. This is an HR governance control designed to ensure security is legally enforceable from Day 1.

Compliance Factor	SaaS Compliance Platforms	High Table ISO 27001 Toolkit	Audit Evidence Example
Policy Ownership	Rents access to your HR standards; if you cancel the subscription, your documented security clauses and legal history vanish.	Permanent Assets: Fully editable Word/Excel HR Security Policies and contract clauses that you own forever.	A localized “HR Security Policy” defining mandatory confidentiality requirements for all new hires.
Legal Implementation	Attempts to “automate” contracts via dashboards that cannot draft legally binding language specific to your local jurisdiction.	Governance-First: Provides the specific legal language needed to bake security into your existing employment contracts.	Standardized “Confidentiality Clauses” integrated into employee and contractor agreements.
Cost Efficiency	Charges a “Per-Employee Tax” that scales aggressively as your headcount and organizational complexity grow.	One-Off Fee: A single payment covers your HR governance for 10 employees or 1,000.	Allocating budget to hiring top talent rather than paying a monthly software fee to track “contract status.”
HR Strategy Freedom	Mandates rigid workflows that may conflict with local labor laws, union agreements, or specific HR software (Workday, etc.).	100% Agnostic: Templates adapt to any jurisdiction or company culture—ensuring legal compliance without technical limits.	The ability to evolve your employment terms and HR tech stack without reconfiguring a rigid SaaS compliance module.

Summary: For Annex A 6.2, the auditor wants to see that security responsibilities are clearly defined in your terms and conditions. The High Table ISO 27001 Toolkit provides the legal framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

ISO 27001 Annex A 6.2 FAQ

What is ISO 27001 Annex A 6.2?

ISO 27001 Annex A 6.2 is an organisational control that mandates that information security responsibilities are clearly defined and communicated within the contractual terms of employment.

It ensures that security duties are legally binding for employees and contractors.
It establishes the legal basis for the organisation’s disciplinary process.
It requires personnel to agree to confidentiality and non-disclosure obligations.
It forms a critical part of the “People” theme in the ISO 27001:2022 standard.

What information security clauses must be in an employment contract?

Employment contracts must explicitly state the employee’s duty to protect sensitive information and adhere to the organisation’s Information Security Management System (ISMS).

A mandatory requirement to follow all internal security policies and procedures.
Enforceable confidentiality and non-disclosure (NDA) clauses.
Responsibilities for the protection of physical and digital assets.
Acknowledgement of the disciplinary process in the event of a security breach.

Does Annex A 6.2 apply to temporary staff and contractors?

Yes, ISO 27001 Annex A 6.2 applies to all individuals with access to organisational information assets, including third-party contractors, freelancers, and temporary staff.

Agreements with contractors must reflect the same security rigour as permanent staff.
Contractual terms should include the right for the organisation to audit compliance.
Terms must specify that confidentiality duties extend beyond the end of the contract.
Specific clauses should cover the return of assets upon termination of the engagement.

Are Non-Disclosure Agreements (NDAs) required for ISO 27001?

Yes, confidentiality or non-disclosure agreements are a fundamental component of Annex A 6.2 to ensure data protection is legally enforceable.

NDAs should be signed prior to granting any access to sensitive or proprietary data.
The agreement must clearly define what constitutes “confidential information.”
Obligations must remain in force after an individual leaves the organisation.
Copies of signed agreements must be maintained as verifiable audit evidence.

Can an organisation fail an audit due to missing security terms in contracts?

Yes, failing to include specific information security terms in employment or contractor agreements is a common cause of minor non-conformities during ISO 27001 audits.

Auditors perform spot checks on personnel files to verify signed contracts.
Lack of security clauses weakens the legal standing and enforceability of the ISMS.
Contracts must be updated to align with the current ISO 27001:2022 control set.
Evidence of signed NDAs for all relevant third parties is a high-priority audit item.

What is the difference between ISO 27001 Annex A 6.1 and 6.2?

The primary difference is that Annex A 6.1 focuses on the screening of personnel before they join, while Annex A 6.2 focuses on the contractual obligations once they are hired.

Annex A 6.1 (Screening): Identity verification and background checks.
Annex A 6.2 (Terms): Legal contracts and security responsibilities.
Both controls work together to manage human-centric security risks.

ISO 27001 Clause 7.4 Communication

ISO 27001 Annex A 6.5 Responsibilities After Termination Or Change Of Employment

ISO 27001 Annex A 5.1 Policies for Information Security

ISO 27001 Controls and Attribute values

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Preventive	Availability Confidentiality Integrity	Protect	Human resource security	Governance and ecosystem

Availability, Confidentiality, Governance and Ecosystem, Human Resource Security, Integrity, Preventive, Protect

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

Table of contents

What is ISO 27001 Annex A 6.2 ?

ISO 27001 Annex A 6.2 Purpose

ISO 27001 Annex A 6.2 Definition

Watch the ISO 27001 Annex A 6.2 Tutorial

ISO 27001 Annex A 6.2 Explainer Video

ISO 27001 Annex A 6.2 Podcast

ISO 27001 Annex A 6.2 Implemantation Guidance

General Guidance

ISO 27001 Policies

What to include in the employment contract

Communication

Agreement

Appropriateness of terms

Review of terms

Non Disclosure Agreement ISO 27001

Employee hand book /code of conduct

Employees that come from agency / third party

How to implement ISO 27001 Annex A 6.2

1. Formalise Information Security Clauses in Contracts

2. Provision Enforceable Non-Disclosure Agreements (NDAs)

3. Document Responsibilities for Asset Handling

4. Formalise the Disciplinary Process Linkage

5. Audit and Review Contractual Compliance

ISO 27001 Annex A 6.2 Implementation Checklist

1. Develop a Standardised Employment Contract Template

Challenges

Solutions

2. Include Clear Information Security Clauses

Challenges

Solutions

3. Address Confidentiality Obligations

Challenges

Solutions

4. Outline Acceptable Use of Company Resources

Challenges

Solutions

5. Define Employee Responsibilities for Data Protection

Challenges

Solutions

6. Address Remote Work Considerations

Challenges

Solutions

7. Incorporate Data Breach Notification Procedures

Challenges

Solutions

8. Review and Update Employment Contracts Regularly

Challenges

Solutions

9. Obtain Employee Acknowledgement

Challenges

Solutions

10. Conduct Internal Audits and Reviews

Challenges:

Solutions:

ISO 27001 Annex A 6.2 Audit Checklist

1. Review Employment Contracts

2. Assess Employee Handbooks

3. Verify Background Checks and Screening

4. Examine Employee Training

5. Investigate Data Access Control

6. Evaluate Remote Work Practices

7. Investigate BYOD Policies

8. Interview Key Personnel

9. Review Incident Response Procedures

10. Document Audit Findings

How to pass the audit of ISO 27001 Annex A 6.2

Documentation Location Guide

What the auditor will check

1. That you have a documented contract of employment

2. That you have communicated the terms of employment

3. That people are aware of their responsibilities

Top 3 ISO 27001 Annex A 6.2 mistakes and how to avoid them

1. You have no evidence that anything actually happened

2. One or more members of your team haven’t done what they should have done

3. Your document and version control is wrong

Applicability of ISO 27001 Annex A 6.2 across different business models.

Fast Track ISO 27001 Annex A 6.2 Compliance with the ISO 27001 Toolkit

ISO 27001 Annex A 6.2 FAQ

What is ISO 27001 Annex A 6.2?