High Table Logo Website

ISO27001:2022

ISO27001 Clauses
ISO 27001 Clause 4.1 Understanding The Organisation And Its Context

ISO 27001 Clause 4.2 Understanding The Needs And Expectations of Interested Parties

ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System

ISO 27001 Clause 4.4 Information Security Management System

ISO 27001 Clause 5.1 Leadership and Commitment

ISO 27001 Clause 5.3 Organisational Roles, Responsibilities and Authorities

ISO 27001 Clause 6.1.1 Planning General

ISO 27001 Clause 6.1.2 Information Security Risk Assessment

ISO 27001 Clause 6.1.3 Information Security Risk Treatment

ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them

ISO 27001 Clause 6.3 Planning Of Changes

ISO 27001 Clause 7.1 Resources

ISO 27001:2022 Clause 7.2 Competence

ISO 27001 Clause 7.3 Awareness

ISO 27001 Clause 7.4 Communication

ISO 27001 Clause 7.5.1 Documented Information

ISO 27001 Clause 7.5.2 Creating and Updating Documented Information

ISO 27001 Clause 7.5.3 Control of Documented Information

ISO 27001 Clause 8.1 Operational Planning and Control

ISO 27001 Clause 8.2 Information Security Risk Assessment

ISO 27001 Clause 8.3 Information Security Risk Treatment

ISO 27001 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation

ISO 27001 Clause 9.2 Internal Audit

ISO 27001 Clause 9.3 Management Review

ISO 27001 Clause 10.1 Continual Improvement

ISO 27001 Clause 10.2 Nonconformity and Corrective Action

ISO27001 Organisation Controls

ISO27001 Annex A 5.1 Policies for information security

ISO27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO27001 Annex A 5.3 Segregation of duties

ISO27001 Annex A 5.4 Management responsibilities

ISO27001 Annex A 5.5 Contact with authorities

ISO27001 Annex A 5.6 Contact with special interest groups

ISO27001 Annex A 5.7 Threat intelligence

ISO27001 Annex A 5.8 Information security in project management

ISO27001 Annex A 5.9 Inventory of information and other associated assets

ISO27001 Annex A 5.10 Acceptable use of information and other associated assets

ISO27001 Annex A 5.11 Return of assets

ISO27001 Annex A 5.12 Classification of information

ISO27001 Annex A 5.13 Labelling of information

ISO27001 Annex A Cotrol 5.14 Information transfer

ISO27001 Annex A 5.15 Access control

ISO27001 Annex A 5.16 Identity management

ISO27001 Annex A 5.17 Authentication information

ISO27001 Annex A 5.18 Access rights

ISO27001 Annex A 5.19 Information security in supplier relationships

ISO27001 Annex A 5.20 Addressing information security within supplier agreements

ISO27001 Annex A 5.21 Managing information security in the ICT supply chain

ISO27001 Annex A 5.22 Monitoring, review and change management of supplier services

ISO27001 Annex A 5.23 Information security for use of cloud services

ISO27001 Annex A 5.24 Information security incident management planning and preparation

ISO27001 Annex A 5.25 Assessment and decision on information security events

ISO27001 Annex A 5.26 Response to information security incidents

ISO27001 Annex A 5.27 Learning from information security incidents

ISO27001 Annex A 5.28 Collection of evidence

ISO27001 Annex A 5.29 Information security during disruption

ISO 27001 Annex A Cotrol 5.30 ICT readiness for business continuity

ISO27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO27001 Annex A 5.32 Intellectual property rights

ISO27001 Annex A 5.33 Protection of records

ISO27001 Annex A 5.34 Privacy and protection of PII

ISO27001 Annex A 5.35 Independent review of information security

ISO27001 Annex A 5.36 Compliance with policies and standards for information security

ISO27001 Annex A 5.37 Documented operating procedures

ISO27001 People Controls

ISO27001 Annex A 6.1 Screening

ISO27001 Annex A 6.2 Terms and conditions of employment

ISO27001 Annex A 6.3 Information security awareness, education and training

ISO27001 Annex A 6.4 Disciplinary process

ISO27001 Annex A 6.5 Responsibilities after termination or change of employment

ISO27001 Annex A 6.6 Confidentiality or non-disclosure agreements

ISO27001 Annex A 6.7 Remote working

ISO27001 Annex A 6.8 Information security event reporting

ISO27001 Physical Controls

ISO27001 Annex A 7.1 Physical security perimeter

ISO27001 Annex A 7.2 Physical entry controls

ISO27001 Annex A 7.3 Securing offices, rooms and facilities

ISO27001 Annex A 7.4 Physical security monitoring

ISO27001 Annex A 7.5 Protecting against physical and environmental threats

ISO27001 Annex A 7.6 Working in secure areas

ISO27001 Annex A 7.7 Clear desk and clear screen

ISO27001 Annex A 7.8 Equipment siting and protection

ISO27001 Annex A 7.9 Security of assets off-premises

ISO27001 Annex A 7.10 Storage media

ISO27001 Annex A 7.11 Supporting Utilities

ISO27001 Annex A 7.12 Cabling Security

ISO27001 Annex A 7.13 Equipment Maintenance

ISO27001 Annex A 7.14 Secure Disposal or Re-Use of Equipment

ISO27001 Technical Controls

ISO27001 Annex A 8.1 User Endpoint Devices

ISO27001 Annex A 8.2 Privileged Access Rights

ISO27001 Annex A 8.3 Information Access Restriction

ISO27001 Annex A 8.4 Access To Source Code

ISO27001 Annex A 8.5 Secure Authentication

ISO27001 Annex A 8.6 Capacity Management

ISO27001 Annex A 8.7 Protection Against Malware

ISO27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO27001 Annex A 8.9 Configuration Management 

ISO27001 Annex A 8.10 Information Deletion

ISO27001 Annex A 8.11 Data Masking

ISO27001 Annex A 8.12 Data Leakage Prevention

ISO27001 Annex A 8.13 Information Backup

ISO27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO27001 Annex A 8.15 Logging

ISO27001 Annex A 8.16 Monitoring Activities

ISO27001 Annex A 8.17 Clock Synchronisation

ISO27001 Annex A 8.18 Use of Privileged Utility Programs

ISO27001 Annex A 8.19 Installation of Software on Operational Systems

ISO27001 Annex A 8.20 Network Security

ISO27001 Annex A 8.21 Security of Network Services

ISO27001 Annex A 8.22 Segregation of Networks

ISO27001 Annex A 8.23 Web Filtering

ISO27001 Annex A 8.24 Use of Cryptography

ISO27001 Annex A 8.25 Secure Development Life Cycle

ISO27001 Annex A 8.26 Application Security Requirements

ISO27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO27001 Annex A 8.28 Secure Coding

ISO27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO27001 Annex A 8.30 Outsourced Development

ISO27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO27001 Annex A 8.32 Change Management

ISO27001 Annex A 8.33 Test Information

ISO27001 Annex A 8.34 Protection of information systems during audit testing

ISO 27001 Jumpstart Kit
ISO 27001 Certification Kit
ISO 27001 Consultant Toolkit

Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 6.6 Confidentiality Or Non-Disclosure Agreements

ISO 27001 Annex A 6.6 Confidentiality Or Non-Disclosure Agreements

Last updated Aug 21, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

ISO27001-2022 Annex A 6.6 Confidentiality Or Non-Disclosure Agreements

A Confidentiality or Non-Disclosure Agreement (NDA) is a legal contract that prohibits a person or entity from disclosing confidential information to others. This type of agreement is often used in business, employment, and other situations where sensitive or confidential information needs to be shared. In ISO 27001 this is known as ISO27001:2022 Annex A 6.6 Confidentiality Or Non-Disclosure Agreements. It is one of the 93 ISO 27001 Annex A controls

The requirement is that confidentiality or non-disclosure agreements reflecting the organisation’s needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.

ISO 27001 Annex A 6.6 Confidentiality or Non-Disclosure Agreements is an ISO 27001 Annex A control that wants you to ensure that you have non disclosure agreements or confidentiality in contracts. It wants this to be documented, signed, communicated and enforced. Which usually means having a relevant clause in your contracts.

Key Takeaways

  • You will need the support of a legal professional
  • You may need the support of a HR professional

Table of contents

Watch the Tutorial

In the video ISO 27001 Confidentiality or Non Disclosure Agreements Explained – ISO27001:2022 Annex A 6.6 I show you how to implement it and how to pass the audit.

Benefits of implementing Confidentiality Or Non-Disclosure Agreements

The main benefit is that is allows you to protect confidential information, bound by a legally enforceable framework. The benefits of implementing confidentiality and non disclosure agreements include:

  • Reducing the risk of data breaches by ensuring and effective legal framework is in place
  • Reduced cost of incidents by catching and managing events early and assigned responsibility and accountability
  • Mitigating legal liability by having an agreed and enforceable legal framework in place
  • You cannot get ISO 27001 certification without it
  • Protection of confidential information
  • Building trust with employees and third parties
  • Reputation Protection
  • Intellectual Property Protection
  • Mitigating legal liability
ISO 27001 Toolkit
Get the ISO 27001 Certification Kit >

How to implement ISO 27001 Confidentiality Or Non-Disclosure Agreements

You are going to have to ensure that:

  • you have engaged a legal professional
  • your contracts include confidentiality of information using terms that are legally enforceable
  • information that requires protecting has been identified
  • information has been classified
  • Non-disclosure agreements or contracts are signed and in place where required

How to determine what terms you need to include

First, the advice is to consult a legal professional. For general guidance when deciding terms consider:

  • What information will be accessed
  • What classification is the information
  • What will the information be used for

How to identify the requirements you need to include

When deciding on the requirements to include in the non disclosure agreement or confidentiality clause:

  • A definition of what confidential information is
  • How long the agreement will last for
  • What will happen when the agreement ends
  • What are the responsibilities of all signing the agreement
  • Who owns what information, intellectual property, trade secrets
  • What is the permitted use of confidential information
  • A right to audit
  • How to inform each other of a breach
  • What to do if people don’t stick to the agreements
  • What laws apply

The key steps in drafting a confidentiality or non-disclosure agreement

The steps involved in drafting a confidentiality agreement include:

  1. Identifying the information that needs to be protected
  2. Determining the scope of the agreement
  3. Defining the terms of the agreement
  4. Reviewing and negotiating the agreement
  5. Obtaining signatures on the agreement

Key terms that should be included in a confidentiality or non-disclosure agreement

The key terms that should be included in a confidentiality agreement include:

  • The definition of confidential information
  • The scope of the agreement
  • The obligations of the parties
  • The duration of the agreement
  • The remedies for breach of the agreement

Challenges of using confidentiality or non-disclosure agreements

The challenges of using confidentiality agreements include:

  • Ensuring that the agreements are properly drafted and implemented
  • Obtaining signatures on the agreements
  • Enforcing the agreements

Confidentiality agreements are legal documents, and they should be drafted and implemented in accordance with applicable law. It is best to engage with a legal professional. In some jurisdictions, confidentiality agreements may be unenforceable if they are not drafted in a certain way or if they do not include certain terms.

Who is responsible for drafting and implementing confidentiality or non-disclosure agreements?

The organisation is responsible for drafting and implementing confidentiality agreements. The organisations legal department is typically responsible for drafting the agreements, and the organisation’s human resources department is typically responsible for implementing them. Seek legal advice whether that is internal or external resource.

How to pass the audit

To comply with ISO 27001 Annex A 6.6 and pass the audit you are going to implement the ‘how’ to the ‘what’ the control is expecting. You are going to:

  • Get legal help to draft your confidentiality and non disclosure agreements
  • Ensure that you can evidence they have been reviewed
  • Produced documents and agreements for relevant third parties
  • Demonstrate that they are signed, dated, in date and legally enforceable

What the auditor will check

The audit is going to check a number of areas for compliance with ISO 27001 Annex A 6.6. Lets go through them

It is easy to download templates or to reuse documents that you already have to cut corners but the auditor will look for evidence that your legal documents are based on legal advice. This may include evidence of engagement, purchase or meetings with legal professionals.

The documents that you have will be checked to ensure that they are signed, dated, in date and relevant to the particular engagement with the third party.

3. That people are aware of their responsibilities

The audit is going to check for documented processes and that these have been communicated and people have been trained on what is required of them.

Top 3 Mistakes People Make

In my experience, the top 3 mistakes people make for ISO27001:2022 Annex A 6.6 Confidentiality Or Non-Disclosure Agreements

This is the number one mistake that we see is that legal documents are not checked, they are assumed to be in place but in reality they have expired. Ensure that there is a regular review and that agreements are refreshed as and when needed.

2. Your documents are unenforceable

It is a mistake to cut corners and use non-reputable documents from the internet and assuming that they can be enforced. Ensure all documents and templates are sourced from reputable legal professionals and that they review the contracts and documents that you put in place before and after signing.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

ISO 27001 Certification Strategy Session

ISO 27001 Confidentiality Or Non-Disclosure Agreements FAQ

Do I have to satisfy ISO 27001 Annex A 6.6 Confidentiality Or Non-Disclosure Agreements for ISO 27001 Certification?

Yes. Laws and regulations require that contracts in place to manage the relationship between entities and include information security requirements in those contracts and non-disclosure agreements is required.

Who is responsible for Confidentiality Or Non-Disclosure Agreements?

HR is responsible for Confidentiality Or Non-Disclosure Agreements. Under the guidance of legal counsel they are best placed to follow best practice and meet the requirements of the law.

Can I write non-disclosure and confidentiality agreements myself?

No. It is not advised that you write these yourself. You seek the help of a professional. Legal advice should be sought.

Where can I get templates for ISO 27001 Annex A 6.6?

ISO 27001 templates that support ISO 27001 Annex A 6.6 are part of the ISO 27001 Toolkit but legal advice from a professional should be sought.

How hard is ISO 27001 Annex A 6.6?

ISO 27001 Annex A 6.6 is hard. It is a profession in its own right and you should seek the help of legal counsel.

How long will ISO 27001 Annex A 6.6 take me?

ISO 27001 Annex A 6.6 is dependant on you seeking legal advice and the time it takes for the legal counsel to provide the required documents and clauses.

How much will ISO 27001 Annex A 6.6 cost me?

The cost of Annex A 6.6 is dependant on the cost of the legal advice you seek.

Why are confidentiality or non disclosure agreements important?

Confidentiality or non-disclosure agreements (CDAs) are important because they help to protect confidential information. This information can include trade secrets, financial data, customer lists, and other proprietary information. By requiring employees and third parties to sign CDAs, organisations can help to ensure that this information is not disclosed to unauthorised individuals.
CDAs are also important because they can help to mitigate legal liability. If confidential information is disclosed in violation of a CDA, the organization may be able to sue the individual who disclosed the information for damages.
Finally, CDAs can help to build trust with employees and third parties. By requiring these individuals to sign CDAs, organisations can demonstrate that they are committed to protecting confidential information. This can help to build trust and loyalty, which can be beneficial to the organisation in the long run.

Can an organization use a standard NDA template, or does it need to be customised?

While standard templates can be a starting point, it’s generally best to customise them to reflect the specific nature of your organisation’s confidential information, business operations, and the legal jurisdiction you operate within. This ensures they are effective and enforceable for your unique circumstances.

What evidence will an ISO 27001 auditor look for regarding Annex A 6.6?

Auditors will look for documented procedures for obtaining NDAs, signed copies of agreements (or evidence of their existence and application), evidence of regular review, and proof that new employees/contractors sign them before accessing confidential information.

How often should confidentiality agreements be reviewed and updated?

They should be reviewed at least annually and whenever there are significant changes to the organisation’s business operations, information types, legal requirements, or the nature of relationships with parties holding confidential information.

What is the core concept of Confidentiality or Non-Disclosure Agreements in ISO 27001?

It refers to the requirement for an organization to establish formal agreements (like NDAs) with individuals and entities who will have access to its confidential information, binding them to protect that information.

What if a third-party vendor refuses to sign our NDA?

This presents a significant information security risk. Your organisation must assess the risk of proceeding without an adequate legal framework in place including the potential impact and consequences. Options include negotiating specific terms, seeking alternative vendors, or implementing compensating controls to manage the risk.

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Monitor, Review And Change Management Of Supplier Services: Annex A 5.22

ISO 27001 Terms and Conditions of Employment: Annex A 6.2

ISO 27001 Addressing Information Security Within Supplier Agreements: Annex A 5.20

Non-disclosure agreements (UK GOV Guidance)

An Example of a One-way Non-Disclosure Agreement (UK GOV)

ISO 27001 Annex A 6.6 Attributes Table

Control typeInformation
security properties		Cybersecurity
concepts		Operational
capabilities		Security domains
PreventiveAvailability
Confidentiality
Integrity		ProtectHuman resource security
Information protection
Supplier relationships		Governance and ecosystem
Tags: Confidentiality Governance and Ecosystem Human Resource Security Information Protection Preventive Protect Supplier Relationships Security
Stuart Barker, ISO 27001 expert

Stuart Barker
ISO 27001 Expert and Thought Leader

ISO 27001 Toolkit Business Edition
Stuart Barker, ISO 27001 expert

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.