ISO 27001 Terms and Conditions Of Employment | Annex A 6.2

Home / ISO 27001 Annex A Controls / ISO 27001 Terms and Conditions Of Employment | Annex A 6.2

ISO 27001 Terms and Conditions of Employment

ISO 27001 Terms of Employment are the conditions and agreements that define the relationship between an employer and an employee. These terms typically outline the rights and responsibilities of both parties.

In this ultimate guide to ISO 27001 Terms and Conditions of Employment you will learn

  • What are ISO 27001 Employment Terms and Conditions
  • How to implement Terms and Conditions of Employment for ISO 27001

I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.

With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.

What is ISO 27001 Annex A 6.2?

ISO 27001 Annex A 6.2 Terms of Employment is an ISO 27001 Annex A control that wants you to have contracts in place with employees that set out responsibilities for information security.

ISO 27001 Annex A 6.2 Purpose

The purpose of ISO 27001 Annex A 6.2 terms of employment is to ensure that employees are fully aware of their information security responsibilities in relation to their role.

ISO 27001 Annex A 6.2 Definition

The ISO 27001 standard defines ISO 27001 Annex A 6.2 terms and conditions of employment as:

The employment contractual agreements should state the personnel’s and the organisations responsibilities for information security. 

ISO 27001:2022 Annex A 6.2 Terms of Employment
ISO 27001 Toolkit

Implementation Guide

General Guidance

You are going to have to

  • engage with a legal professional for professional advice
  • engage with a HR professional for professional advice
  • put in place contracts that include the personnel and the organisations responsibilities for information security
  • ensure you have contractual agreements with all personnel that are legally binding
  • ensure you adhere to all applicable laws and regulations

ISO 27001 Policies

The contract should consider your ISO 27001 policies. That is the main information security policy and any ISO 27001 topic specific policies. Policies are statements of what you do for information security and what is expected of people.

What to include in the employment contract

The following can be considered:

  • NDA, non disclosure agreements
  • confidentiality agreements
  • legal rights

The following are guidance and I am not really sure they sit well in contractual agreements but to be aware that the standard has them as guidance

  • Classification of information
  • management of information
  • management of assets
  • information processing facilities
  • information services
  • handling information you get from third parties and interested parties
  • what actions will be taken if you don’t follow the information security requirements

Communication

You will communicate roles and responsibilities for information security during the pre employment phase of your process.

Agreement

Information security requirements should be agreed which usually is the case of the employee signing the contract and you having a copy of the contract on file.

Appropriateness of terms

You want to make sure that any terms and requirements are appropriate to the person, their role, what they do and the access they have.

Review of terms

As a process of continual improvement be sure to review the terms you have, especially if you change your policies or the laws, or regulations change.

After employment

There are certain things that will remain in place after employment and this is usually defined for a set period of time. Consider things like non disclosure and confidentiality that you may want in place for 12 months post employment ending.

Employee hand book /code of conduct

Having an employee hand book or code of conduct is a fantastic way to share and communicate information security responsibilities and key messages and I have seen this work well in many organisations.

Employees that come from agency / third party

If you have employees that you do not employ directly but rather you use and agency of third party then the agency of third party should really enter into a contract on behalf of those people.

Watch the Tutorial

Watch the ISO 27001 Tutorial on ISO 27001 Terms and Conditions of Employment

How to pass the audit

To comply with ISO 27001 Annex A 6.2 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:

  • Write, sign off, implement and communicate your topic specific information security policies
  • Write, sign off, implement and communicate your contract of employment template under the guidance and advice of a HR professional and a legal professional
  • Implement your contract of employment with personnel
  • Implement your communication plan to communicate to relevant and interested parties
  • Ensure that the contract of employment meets all laws as well as local laws and regulations
  • Implement a process of internal audit that checks that the appropriate controls are in place and effective and where they are not follow the continual improvement process to address the risks

To pass an audit of ISO 27001 Annex A 6.2 you are going to make sure that you have followed the steps above in how to comply.

What the auditor will check

The audit is going to check a number of areas for compliance with Annex A 6.2. Lets go through them

1. That you have a documented contract of employment

The auditor will meet with the HR team and look for a documented contract of employment template. They will then seek evidence that the contract of employment is in place by reviewing a sample of employees. They will be checking that the terms of this clause have been met.

2. That you have communicated the terms of employment

The process needs to be communicated to relevant and interested parties. The audit will check that the training and awareness plan and the communication plan and look for past evidence that this has happened.

3. That people are aware of their responsibilities

The audit is going to check for documented processes, documented topic specific policy and these have been communicated and people have been trained on what is required of them. It will check if people have a contract with terms and they understand and accept them.

Top 3 Mistakes People Make

In my experience, the top 3 mistakes people make for ISO 27001 Annex A 6.2 are

1. You have no evidence that anything actually happened

You need to keep records and minutes of everything. You need a paper trail to show it was done. Make sure you have updated contracts for all employees and personnel and that they meet the requirements of this control. In smaller organisations and start ups it is often the case that this is not in place.

2. One or more members of your team haven’t done what they should have done

Prior to the audit check that all members of the team have done what they should have. Do they know where the process documents are in relation to the employment process? Has everyone got a contract and received and accepted terms of employment? Do a pre audit as close to the audit as you can that checks the contract and terms of employment process and the HR team that will be involved. Assuming they are doing the right thing is a recipe for disaster. Check!

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

ISO 27001 Templates

Having ISO 27001 templates can help fast track your ISO 27001 implementation. The ISO 27001 Toolkit is the ultimate resource for your ISO 27001 certification.

ISO 27001 Annex A 6.2 FAQ

What are the Benefits of ISO 27001 Annex A 6.2 Terms Of Employment?

Other than your ISO 27001 certification requiring it, the following are the top 5 benefits of ISO 27001 Annex A 6.2 Terms of Employment: 
You cannot get ISO 27001 certification without it.
Improved security: You will have an effective information security implementation that is based on people who contracts in place and those contracts cover information security requirements
Reduced risk: You will reduce the information security risks by having legally binding contracts in place with employees that set out the consequences of not meeting information security requirements and being able to enforce them
Improved compliance: Standards and regulations require you to have terms of employment in place
Reputation Protection: In the event of a breach having a terms of employment procedure in place will reduce the potential for fines and reduce the PR impact of an event

Why is Annex A 6.2 Terms Of Employment important?

Terms of employment are important because they protect both the employer and the employee. They set out the expectations of both parties and help to avoid misunderstandings and conflict.
For employers, terms of employment can help to ensure that they are getting the best possible value from their employees. They can also help to protect the employer from legal liability if an employee breaches the terms of their contract.
For employees, terms of employment can help to protect their rights and ensure that they are treated fairly. They can also help to ensure that the employee is aware of their responsibilities and obligations to their employer.

Who is responsible for terms and conditions of employment?

HR is responsible for screening employees. Under the guidance of legal counsel they are best placed to follow best practice and meet the requirements of the law.

Will I need the help of a HR professional for ISO 27001 Annex A 6.2?

Yes. You will need the help of a HR professional and a legal professional.

How long will ISO 27001 Annex A 6.2 Terms Of Employment take me to implement?

To implement this should take no more than an hour of your time. HR professionals utilise HR templates and follow standard practices. This should be outsourced to a HR professional.

Do I have to satisfy ISO 27001 Annex A 6.2 Terms and Conditions Of Employment for ISO 27001 Certification?

Yes, if your organisation employees more than 1 person then you need to meet the requirements of this control and legally binding terms and conditions of employment in place.

ISO 27001 Controls and Attribute values

Control typeInformation
security properties
Cybersecurity
concepts
Operational
capabilities
Security domains
PreventiveAvailability
Confidentiality
Integrity
ProtectHuman resource securityGovernance and ecosystem
ISO 27001 Toolkit Business Edition
Do it Yourself ISO 27001 with LIVE EXPERT SUPPORT

ISO 27001:2022 requirements

ISO 27001:2022 Annex A 5 - Organisational Controls

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

ISO 27001:2022 Annex A 8 - Technology Controls

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing