Table of contents
ISO 27001 Terms and Conditions of Employment
ISO 27001 Terms of Employment are the conditions and agreements that define the relationship between an employer and an employee. These terms typically outline the rights and responsibilities of both parties.
In this ultimate guide to ISO 27001 Terms and Conditions of Employment you will learn
- What are ISO 27001 Employment Terms and Conditions
- How to implement Terms and Conditions of Employment for ISO 27001
I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.
With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.
What is ISO 27001 Annex A 6.2?
ISO 27001 Annex A 6.2 Terms of Employment is an ISO 27001 Annex A control that wants you to have contracts in place with employees that set out responsibilities for information security.
ISO 27001 Annex A 6.2 Purpose
The purpose of ISO 27001 Annex A 6.2 terms of employment is to ensure that employees are fully aware of their information security responsibilities in relation to their role.
ISO 27001 Annex A 6.2 Definition
The ISO 27001 standard defines ISO 27001 Annex A 6.2 terms and conditions of employment as:
The employment contractual agreements should state the personnel’s and the organisations responsibilities for information security.
ISO 27001:2022 Annex A 6.2 Terms of Employment
Implementation Guide
General Guidance
You are going to have to
- engage with a legal professional for professional advice
- engage with a HR professional for professional advice
- put in place contracts that include the personnel and the organisations responsibilities for information security
- ensure you have contractual agreements with all personnel that are legally binding
- ensure you adhere to all applicable laws and regulations
ISO 27001 Policies
The contract should consider your ISO 27001 policies. That is the main information security policy and any ISO 27001 topic specific policies. Policies are statements of what you do for information security and what is expected of people.
What to include in the employment contract
The following can be considered:
- NDA, non disclosure agreements
- confidentiality agreements
- legal rights
The following are guidance and I am not really sure they sit well in contractual agreements but to be aware that the standard has them as guidance
- Classification of information
- management of information
- management of assets
- information processing facilities
- information services
- handling information you get from third parties and interested parties
- what actions will be taken if you don’t follow the information security requirements
Communication
You will communicate roles and responsibilities for information security during the pre employment phase of your process.
Agreement
Information security requirements should be agreed which usually is the case of the employee signing the contract and you having a copy of the contract on file.
Appropriateness of terms
You want to make sure that any terms and requirements are appropriate to the person, their role, what they do and the access they have.
Review of terms
As a process of continual improvement be sure to review the terms you have, especially if you change your policies or the laws, or regulations change.
After employment
There are certain things that will remain in place after employment and this is usually defined for a set period of time. Consider things like non disclosure and confidentiality that you may want in place for 12 months post employment ending.
Employee hand book /code of conduct
Having an employee hand book or code of conduct is a fantastic way to share and communicate information security responsibilities and key messages and I have seen this work well in many organisations.
Employees that come from agency / third party
If you have employees that you do not employ directly but rather you use and agency of third party then the agency of third party should really enter into a contract on behalf of those people.
Watch the Tutorial
Watch the ISO 27001 Tutorial on ISO 27001 Terms and Conditions of Employment
How to pass the audit
To comply with ISO 27001 Annex A 6.2 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:
- Write, sign off, implement and communicate your topic specific information security policies
- Write, sign off, implement and communicate your contract of employment template under the guidance and advice of a HR professional and a legal professional
- Implement your contract of employment with personnel
- Implement your communication plan to communicate to relevant and interested parties
- Ensure that the contract of employment meets all laws as well as local laws and regulations
- Implement a process of internal audit that checks that the appropriate controls are in place and effective and where they are not follow the continual improvement process to address the risks
To pass an audit of ISO 27001 Annex A 6.2 you are going to make sure that you have followed the steps above in how to comply.
What the auditor will check
The audit is going to check a number of areas for compliance with Annex A 6.2. Lets go through them
1. That you have a documented contract of employment
The auditor will meet with the HR team and look for a documented contract of employment template. They will then seek evidence that the contract of employment is in place by reviewing a sample of employees. They will be checking that the terms of this clause have been met.
2. That you have communicated the terms of employment
The process needs to be communicated to relevant and interested parties. The audit will check that the training and awareness plan and the communication plan and look for past evidence that this has happened.
3. That people are aware of their responsibilities
The audit is going to check for documented processes, documented topic specific policy and these have been communicated and people have been trained on what is required of them. It will check if people have a contract with terms and they understand and accept them.
Top 3 Mistakes People Make
In my experience, the top 3 mistakes people make for ISO 27001 Annex A 6.2 are
1. You have no evidence that anything actually happened
You need to keep records and minutes of everything. You need a paper trail to show it was done. Make sure you have updated contracts for all employees and personnel and that they meet the requirements of this control. In smaller organisations and start ups it is often the case that this is not in place.
2. One or more members of your team haven’t done what they should have done
Prior to the audit check that all members of the team have done what they should have. Do they know where the process documents are in relation to the employment process? Has everyone got a contract and received and accepted terms of employment? Do a pre audit as close to the audit as you can that checks the contract and terms of employment process and the HR team that will be involved. Assuming they are doing the right thing is a recipe for disaster. Check!
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
ISO 27001 Templates
Having ISO 27001 templates can help fast track your ISO 27001 implementation. The ISO 27001 Toolkit is the ultimate resource for your ISO 27001 certification.
ISO 27001 Annex A 6.2 FAQ
Other than your ISO 27001 certification requiring it, the following are the top 5 benefits of ISO 27001 Annex A 6.2 Terms of Employment:
You cannot get ISO 27001 certification without it.
Improved security: You will have an effective information security implementation that is based on people who contracts in place and those contracts cover information security requirements
Reduced risk: You will reduce the information security risks by having legally binding contracts in place with employees that set out the consequences of not meeting information security requirements and being able to enforce them
Improved compliance: Standards and regulations require you to have terms of employment in place
Reputation Protection: In the event of a breach having a terms of employment procedure in place will reduce the potential for fines and reduce the PR impact of an event
Terms of employment are important because they protect both the employer and the employee. They set out the expectations of both parties and help to avoid misunderstandings and conflict.
For employers, terms of employment can help to ensure that they are getting the best possible value from their employees. They can also help to protect the employer from legal liability if an employee breaches the terms of their contract.
For employees, terms of employment can help to protect their rights and ensure that they are treated fairly. They can also help to ensure that the employee is aware of their responsibilities and obligations to their employer.
HR is responsible for screening employees. Under the guidance of legal counsel they are best placed to follow best practice and meet the requirements of the law.
Yes. You will need the help of a HR professional and a legal professional.
To implement this should take no more than an hour of your time. HR professionals utilise HR templates and follow standard practices. This should be outsourced to a HR professional.
Yes, if your organisation employees more than 1 person then you need to meet the requirements of this control and legally binding terms and conditions of employment in place.
ISO 27001 Controls and Attribute values
Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
Preventive | Availability Confidentiality Integrity | Protect | Human resource security | Governance and ecosystem |