ISO 27001 Annex A 6.2 Terms Of Employment

Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 6.2 Terms Of Employment

ISO 27001 Terms Of Employment

In this ultimate guide to ISO 27001 Annex A 6.2 Terms Of Employment you will learn

  • What is ISO 27001 Annex A 6.2
  • How to implement ISO 27001 Annex A 6.2

I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.

With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.

What is ISO 27001 Annex A 6.2?

ISO 27001 Annex A 6.2 Terms of Employment is an ISO 27001 Annex A control that wants you to have contracts in place with employees that set out responsibilities for information security.


The purpose of ISO 27001 Annex A 6.2 is a preventive control that employees are fully aware of their information security responsibilities in relation to their role.


The ISO 27001 standard defines ISO 27001 Annex A 6.2 as:

The employment contractual agreements should state the personnel’s and the organisations responsibilities for information security. 

ISO 27001:2022 Annex A 6.2 Terms of Employment

Implementation Guide

You are going to have to

  • engage with a legal professional for professional advice
  • engage with a HR professional for professional advice
  • put in place contracts that include the personnel and the organisations responsibilities for information security
  • ensure you have contractual agreements with all personnel that are legally binding
  • ensure you adhere to all applicable laws and regulations

ISO 27001 Policies

The contract should consider your ISO 27001 policies. That is the main information security policy and any ISO 27001 topic specific policies. Policies are statements of what you do for information security and what is expected of people.

What to include in the employment contract

The following can be considered:

  • NDA, non disclosure agreements
  • confidentiality agreements
  • legal rights

The following are guidance and I am not really sure they sit well in contractual agreements but to be aware that the standard has them as guidance

  • Classification of information
  • management of information
  • management of assets
  • information processing facilities
  • information services
  • handling information you get from third parties and interested parties
  • what actions will be taken if you don’t follow the information security requirements


You will communicate roles and responsibilities for information security during the pre employment phase of your process.


Information security requirements should be agreed which usually is the case of the employee signing the contract and you having a copy of the contract on file.

Appropriateness of terms

You want to make sure that any terms and requirements are appropriate to the person, their role, what they do and the access they have.

Review of terms

As a process of continual improvement be sure to review the terms you have, especially if you change your policies or the laws, or regulations change.

After employment

There are certain things that will remain in place after employment and this is usually defined for a set period of time. Consider things like non disclosure and confidentiality that you may want in place for 12 months post employment ending.

Employee hand book /code of conduct

Having an employee hand book or code of conduct is a fantastic way to share and communicate information security responsibilities and key messages and I have seen this work well in many organisations.

Employees that come from agency / third party

If you have employees that you do not employ directly but rather you use and agency of third party then the agency of third party should really enter into a contract on behalf of those people.


Stuart - High Table - ISO27001 Ninja - 3

ISO 27001 Templates

Having an ISO 27001 template for control 6.2 can help fast track your implementation. For this control you are going to require all of the ISO 27001 Policy Templates as a minimum. For a full ISO 27001 implementation, the ISO 27001 Document Toolkit is the ultimate resource so you can do it yourself.


All the templates, tools, support and knowledge you need to do it yourself.

ISO 27001 Toolkit Business Edition

How to comply

To comply with ISO 27001 Annex A 6.2 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:

  • Write, sign off, implement and communicate your topic specific information security policies
  • Write, sign off, implement and communicate your contract of employment template under the guidance and advice of a HR professional and a legal professional
  • Implement your contract of employment with personnel
  • Implement your communication plan to communicate to relevant and interested parties
  • Ensure that the contract of employment meets all laws as well as local laws and regulations
  • Implement a process of internal audit that checks that the appropriate controls are in place and effective and where they are not follow the continual improvement process to address the risks

How to pass an audit

To pass an audit of ISO 27001 Annex A 6.2 you are going to make sure that you have followed the steps above in how to comply.

What the auditor will check

The audit is going to check a number of areas for compliance with Annex A 6.2. Lets go through them

1. That you have a documented contract of employment

The auditor will meet with the HR team and look for a documented contract of employment template. They will then seek evidence that the contract of employment is in place by reviewing a sample of employees. They will be checking that the terms of this clause have been met.

2. That you have communicated the terms of employment

The process needs to be communicated to relevant and interested parties. The audit will check that the training and awareness plan and the communication plan and look for past evidence that this has happened.

3. That people are aware of their responsibilities

The audit is going to check for documented processes, documented topic specific policy and these have been communicated and people have been trained on what is required of them. It will check if people have a contract with terms and they understand and accept them.

Top 3 Mistakes People Make

In my experience, the top 3 mistakes people make for ISO 27001 Annex A 6.2 are

1. You have no evidence that anything actually happened

You need to keep records and minutes of everything. You need a paper trail to show it was done. Make sure you have updated contracts for all employees and personnel and that they meet the requirements of this control. In smaller organisations and start ups it is often the case that this is not in place.

2. One or more members of your team haven’t done what they should have done

Prior to the audit check that all members of the team have done what they should have. Do they know where the process documents are in relation to the employment process? Has everyone got a contract and received and accepted terms of employment? Do a pre audit as close to the audit as you can that checks the contract and terms of employment process and the HR team that will be involved. Assuming they are doing the right thing is a recipe for disaster. Check!

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

What are the Benefits of ISO 27001 Annex A 6.2 Terms Of Employment?

Other than your ISO 27001 certification requiring it, the following are the top 5 benefits of ISO 27001 Annex A 6.2 Terms of Employment: 

  1. You cannot get ISO 27001 certification without it.
  2. Improved security: You will have an effective information security implementation that is based on people who contracts in place and those contracts cover information security requirements
  3. Reduced risk: You will reduce the information security risks by having legally binding contracts in place with employees that set out the consequences of not meeting information security requirements and being able to enforce them
  4. Improved compliance: Standards and regulations require you to have terms of employment in place
  5. Reputation Protection: In the event of a breach having a terms of employment procedure in place will reduce the potential for fines and reduce the PR impact of an event

Why is Annex A 6.2 Terms Of Employment important?

Terms of employment are important because they protect both the employer and the employee. They set out the expectations of both parties and help to avoid misunderstandings and conflict.

For employers, terms of employment can help to ensure that they are getting the best possible value from their employees. They can also help to protect the employer from legal liability if an employee breaches the terms of their contract.

For employees, terms of employment can help to protect their rights and ensure that they are treated fairly. They can also help to ensure that the employee is aware of their responsibilities and obligations to their employer.

ISO 27001 Controls and Attribute values

Control typeInformation
security properties
Security domains
ProtectHuman resource securityGovernance and ecosystem