In this ultimate how to audit guide to ISO 27001 Annex A 6.6 Confidentiality or Non-Disclosure Agreements, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- ISO 27001 Annex A 6.6 Confidentiality or Non-Disclosure Agreements Audit Checklist
- 1. NDA Requirement Formalisation Verified
- 2. Signed Employee Confidentiality Agreements Confirmed
- 3. External Third-Party NDA Coverage Validated
- 4. NDA Clause Specificity and Scope Verified
- 5. Post-Termination Survival Clauses Confirmed
- 6. Periodic Review of NDA Terms Evidenced
- 7. Secure Storage of Executed Agreements Verified
- 8. Flow-down Requirements for Sub-Contractors Validated
- 9. Process for Breaches of Confidentiality Confirmed
- 10. Return or Destruction of Data Clauses Verified
ISO 27001 Annex A 6.6 Confidentiality or Non-Disclosure Agreements Audit Checklist
Auditing ISO 27001 Annex A 6.6 Confidentiality or Non-Disclosure Agreements is the systematic verification of legal and operational controls protecting proprietary information. The Primary Implementation Requirement involves executing enforceable agreements with all parties, providing the Business Benefit of robust intellectual property protection and legal recourse against unauthorised disclosures.
This technical verification tool is designed for lead auditors to establish the legal and operational enforceability of confidentiality obligations. Use this checklist to validate compliance with ISO 27001 Annex A 6.6.
1. NDA Requirement Formalisation Verified
Verification Criteria: A documented policy or procedure exists that mandates the use of Confidentiality or Non-Disclosure Agreements (NDAs) for all parties accessing sensitive information.
Required Evidence: Approved Information Security Policy or a specific Legal/HR Onboarding Procedure citing mandatory NDA execution.
Pass/Fail Test: If the organisation cannot produce a formal requirement mandating NDAs for both internal personnel and external third parties, mark as Non-Compliant.
2. Signed Employee Confidentiality Agreements Confirmed
Verification Criteria: Every current employee has a signed confidentiality agreement or equivalent clause within their employment contract on file.
Required Evidence: Sample of 10 personnel files (including diverse roles) containing executed contracts or standalone NDAs.
Pass/Fail Test: If any sampled employee has active system access but lacks a signed record of confidentiality obligations, mark as Non-Compliant.
3. External Third-Party NDA Coverage Validated
Verification Criteria: All external parties (contractors, consultants, vendors) with access to the organisation’s information assets have signed NDAs prior to access being granted.
Required Evidence: Vendor management folder or procurement portal showing executed NDAs for all active high-risk suppliers.
Pass/Fail Test: If a third-party consultant has a corporate login but no record of an NDA or confidentiality clause in their Master Service Agreement (MSA), mark as Non-Compliant.
