Table of contents
ISO 27001 Confidentiality Or Non-Disclosure Agreements
In this ultimate guide to ISO 27001 Annex A 6.6 confidentiality or non-disclosure agreements you will learn
- What ISO 27001 confidentiality agreements are
- How to implement confidentiality and non disclosure agreements for ISO 27001
I am Stuart Barker, author of the Ultimate ISO 27001 Toolkit.
With over 30 years industry experience I will show you whatโs new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.
What is ISO 27001 Annex A 6.6?
ISO 27001 Annex A 6.6 Confidentiality or Non-Disclosure Agreements is an ISO 27001 Annex A control that wants you to ensure that you have non disclosure agreements or confidentiality in contracts. It wants this to be documented, signed, communicated and enforced. Which usually means having a relevant clause in your contracts.
A Confidentiality or Non-Disclosure Agreement (NDA) is a legal contract that prohibits a person or entity from disclosing confidential information to others. This type of agreement is often used in business, employment, and other situations where sensitive or confidential information needs to be shared.
Purpose
The purpose of ISO 27001 Annex A 6.6 Confidentiality or Non-Disclosure Agreement (NDA) is to ensure you maintain confidentiality for information that is accessed by people, external parties and suppliers.
Definition
ISO 27001 defines ISO 27001 Annex A 6.6 as:
Confidentiality or non-disclosure agreements reflecting the organisation’s needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.
ISO 27001:2022 Annex A 6.6 Confidentiality or Non-Disclosure Agreements
Implementation Guide
General Guidance
You are going to have to ensure that:
- you have engaged a legal professional
- your contracts include confidentiality of information using terms that are legally enforceable
- information that requires protecting has been identified
- information has been classified
- Non-disclosure agreements or contracts are signed and in place where required
How to determine what terms you need to include
First, the advice is to consult a legal professional. For general guidance when deciding terms consider:
- What information will be accessed
- What classification is the information
- What will the information be used for
How to identify requirements
When deciding on the requirements to include in the non disclosure agreement or confidentiality clause:
- A definition of what confidential information is
- How long the agreement will last for
- What will happen when the agreement ends
- What are the responsibilities of all signing the agreement
- Who owns what information, intellectual property, trade secrets
- What is the permitted use of confidential information
- A right to audit
- How to inform each other of a breach
- What to do if people don’t stick to the agreements
- What laws apply
The key steps in drafting a confidentiality or non-disclosure agreement
The steps involved in drafting a confidentiality agreement include:
- Identifying the information that needs to be protected
- Determining the scope of the agreement
- Defining the terms of the agreement
- Reviewing and negotiating the agreement
- Obtaining signatures on the agreement
Key terms that should be included in a confidentiality or non-disclosure agreement
The key terms that should be included in a confidentiality agreement include:
- The definition of confidential information
- The scope of the agreement
- The obligations of the parties
- The duration of the agreement
- The remedies for breach of the agreement
Challenges of using confidentiality or non-disclosure agreements
The challenges of using confidentiality agreements include:
- Ensuring that the agreements are properly drafted and implemented
- Obtaining signatures on the agreements
- Enforcing the agreements
Legal implications of confidentiality or non-disclosure agreements
Confidentiality agreements are legal documents, and they should be drafted and implemented in accordance with applicable law. It is best to engage with a legal professional. In some jurisdictions, confidentiality agreements may be unenforceable if they are not drafted in a certain way or if they do not include certain terms.
Who is responsible for drafting and implementing confidentiality or non-disclosure agreements?
The organisation is responsible for drafting and implementing confidentiality agreements. The organisations legal department is typically responsible for drafting the agreements, and the organisation’s human resources department is typically responsible for implementing them. Seek legal advice whether that is internal or external resource.
Watch the Tutorial
Watch the ISO 27001 tutorial on confidentiality or non disclosure agreements.
ISO 27001 Templates
Implementing ISO 27001 can be a significant undertaking and incur significant ISO 27001 Costs. To streamline the process and potentially save valuable time and resources, consider utilising pre-written ISO 27001 templates. This ISO 27001 Toolkit offers a comprehensive set of resources specifically designed for those seeking to achieve ISO 27001 certification independently. With this toolkit, you can potentially build your Information Security Management System (ISMS) within a week and be ready for certification within 30 days.
ISO 27001 Annex A 6.6 FAQ
Yes. Laws and regulations require that contracts in place to manage the relationship between entities and include information security requirements in those contracts and non-disclosure agreements is required.
HR is responsible for Confidentiality Or Non-Disclosure Agreements. Under the guidance of legal counsel they are best placed to follow best practice and meet the requirements of the law.
No. It is not advised that you write these yourself. You seek the help of a professional. Legal advice should be sought.
ISO 27001 templates that support ISO 27001 Annex A 6.6 are part of the ISO 27001 Toolkit but legal advice from a professional should be sought.
ISO 27001 Annex A 6.6 is hard. It is a profession in its own right and you should seek the help of legal counsel.
ISO 27001 Annex A 6.6 is dependant on you seeking legal advice and the time it takes for the legal counsel to provide the required documents and clauses.
The cost of Annex A 6.6 is dependant on the cost of the legal advice you seek.
Other than yourย ISO 27001 certificationย requiring it, the following areย the top 6 benefits of ISO 27001 Annex A 6.6 Confidentiality or Non-Disclosure Agreements:ย
You cannot getย ISO 27001 certificationย without it.
Protecting confidential information
Reducing the risk of data breaches
Mitigating legal liability
Building trust with employees and third parties
Reputation Protection: In the event of a breach having a agreements in place will reduce the potential for fines and reduce the PR impact of an event
Confidentiality or non-disclosure agreements (CDAs) are important because they help to protect confidential information. This information can include trade secrets, financial data, customer lists, and other proprietary information. By requiring employees and third parties to sign CDAs, organisations can help to ensure that this information is not disclosed to unauthorised individuals.
CDAs are also important because they can help to mitigate legal liability. If confidential information is disclosed in violation of a CDA, the organization may be able to sue the individual who disclosed the information for damages.
Finally, CDAs can help to build trust with employees and third parties. By requiring these individuals to sign CDAs, organisations can demonstrate that they are committed to protecting confidential information. This can help to build trust and loyalty, which can be beneficial to the organisation in the long run.
Matrix of ISO 27001 Controls and Attribute values
Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
Preventive | Availability Confidentiality Integrity | Protect | Human resource security Information protection Supplier relationships | Governance and ecosystem |