Auditing ISO 27001 Annex A 6.6 Confidentiality or Non-Disclosure Agreements is the systematic verification of legal and operational controls protecting proprietary information. The Primary Implementation Requirement involves executing enforceable agreements with all parties, providing the Business Benefit of robust intellectual property protection and legal recourse against unauthorized disclosures.

ISO 27001 Annex A 6.6 Confidentiality or Non-Disclosure Agreements Audit Checklist

This technical verification tool is designed for lead auditors to establish the legal and operational enforceability of confidentiality obligations. Use this checklist to validate compliance with ISO 27001 Annex A 6.6.

1. NDA Requirement Formalisation Verified

Verification Criteria: A documented policy or procedure exists that mandates the use of Confidentiality or Non-Disclosure Agreements (NDAs) for all parties accessing sensitive information.

Required Evidence: Approved Information Security Policy or a specific Legal/HR Onboarding Procedure citing mandatory NDA execution.

Pass/Fail Test: If the organisation cannot produce a formal requirement mandating NDAs for both internal personnel and external third parties, mark as Non-Compliant.

2. Signed Employee Confidentiality Agreements Confirmed

Verification Criteria: Every current employee has a signed confidentiality agreement or equivalent clause within their employment contract on file.

Required Evidence: Sample of 10 personnel files (including diverse roles) containing executed contracts or standalone NDAs.

Pass/Fail Test: If any sampled employee has active system access but lacks a signed record of confidentiality obligations, mark as Non-Compliant.

3. External Third-Party NDA Coverage Validated

Verification Criteria: All external parties (contractors, consultants, vendors) with access to the organisation’s information assets have signed NDAs prior to access being granted.

Required Evidence: Vendor management folder or procurement portal showing executed NDAs for all active high-risk suppliers.

Pass/Fail Test: If a third-party consultant has a corporate login but no record of an NDA or confidentiality clause in their Master Service Agreement (MSA), mark as Non-Compliant.

4. NDA Clause Specificity and Scope Verified

Verification Criteria: The NDAs clearly define what constitutes “Confidential Information” and state the permitted uses and duration of the obligation.

Required Evidence: Review of the standard NDA template used by the legal/procurement department.

Pass/Fail Test: If the NDA uses vague terms like “all information” without defining exclusions or specific handling requirements, mark as Non-Compliant.

5. Post-Termination Survival Clauses Confirmed

Verification Criteria: Confidentiality obligations are explicitly stated to survive the termination of employment or the end of the contractual engagement.

Required Evidence: Executed agreements containing “Survival” or “Post-Termination” clauses (e.g., obligations lasting 2-5 years or indefinitely).

Pass/Fail Test: If the NDA implies that confidentiality ends on the day the contract is terminated, mark as Non-Compliant.

6. Periodic Review of NDA Terms Evidenced

Verification Criteria: Standard NDA templates are reviewed periodically to ensure they meet current legal requirements and organisational risk profiles.

Required Evidence: Legal review logs or version history of the NDA template showing updates within the last 24 months.

Pass/Fail Test: If the organisation is using an NDA template that has not been reviewed for legal sufficiency in over three years, mark as Non-Compliant.

7. Secure Storage of Executed Agreements Verified

Verification Criteria: Signed NDAs are stored in a secure, restricted-access environment to ensure their availability for legal enforcement if required.

Required Evidence: Permissions report for the HR/Legal digital vault or physical verification of locked filing cabinets.

Pass/Fail Test: If executed NDAs are stored on a public company drive or in an unmonitored physical area, mark as Non-Compliant.

8. Flow-down Requirements for Sub-Contractors Validated

Verification Criteria: Where third parties use sub-contractors, the NDA mandates that confidentiality obligations are flowed down to those sub-contractors.

Required Evidence: Sub-contracting clauses within the standard vendor NDA or MSA.

Pass/Fail Test: If a primary vendor can share organisational data with sub-contractors without an equivalent confidentiality mandate, mark as Non-Compliant.

9. Process for Breaches of Confidentiality Confirmed

Verification Criteria: A defined process or disciplinary framework exists to address identified breaches of the confidentiality agreement.

Required Evidence: Employee Handbook or Supplier Code of Conduct detailing the consequences of unauthorised disclosure.

Pass/Fail Test: If there is no documented link between the NDA and the disciplinary/termination process, mark as Non-Compliant.

10. Return or Destruction of Data Clauses Verified

Verification Criteria: NDAs include mandatory requirements for the return or secure destruction of confidential information upon termination of the agreement.

Required Evidence: “Disposal of Information” or “Return of Assets” sections within the sampled NDAs.

Pass/Fail Test: If the agreement is silent on the fate of the data after the contract ends, mark as Non-Compliant.

ISO 27001 Annex A 6.6 SaaS / GRC Platform Failure Checklist
Control Requirement	The ‘Checkbox Compliance’ Trap	The Reality Check
Execution Records	The tool marks “NDA” as compliant because a file exists in the user’s profile.	Verify the signature. GRC tools often accept blank or unexecuted templates as “evidence” of a signed agreement.
Survival Obligations	SaaS tool verifies that an NDA was “Signed” during onboarding.	Check the clause. If the agreement doesn’t survive the exit date, it’s useless for post-employment data protection.
Third-Party Scope	Tool assumes all “Vendors” in the DB have an NDA.	Verify “Non-Standard” vendors. Delivery drivers or temporary facilities staff often bypass GRC portals but hold keys/access.
Legal Validity	Platform identifies a “Confidentiality Policy” document.	A policy is not a contract. Auditors must see legally binding agreements, not just a set of “Management Intent” slides.
Version Control	Tool tracks that “User A” read the latest policy update.	Check the original contract. Policy updates often do not legally modify the original terms of employment without a formal amendment.
Sub-Contractor Flow-down	Tool checks for the presence of a “Sub-processor” list.	Verify the Legal Mandate. Does the vendor’s contract actually forbid sharing with sub-processors who haven’t signed an NDA?
Accessibility	SaaS tool records that the “CISO” has access to NDAs.	Test the Searchability. If Legal takes 48 hours to find an NDA during an active breach investigation, the control is failing.

About the author

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.