ISO 27001 Annex A 6.6 Confidentiality Or Non-Disclosure Agreements

Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 6.6 Confidentiality Or Non-Disclosure Agreements

ISO 27001 Confidentiality Or Non-Disclosure Agreements

In this ultimate guide to ISO 27001 Annex A 6.6 Confidentiality Or Non-Disclosure Agreements you will learn

  • What is ISO 27001 Annex A 6.6
  • How to implement ISO 27001 Annex A 6.6

I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.

With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.

What is ISO 27001 Annex A 6.6 Confidentiality Or Non-Disclosure Agreements?

ISO 27001 Annex A 6.6 Confidentiality or Non-Disclosure Agreements is an ISO 27001 control that wants you to ensure that you have non disclosure agreements or confidentiality in contracts. It wants this to be documented, signed, communicated and enforced. Which usually means having a relevant clause in your contracts.

ISO 27001 Annex A 6.6 Purpose

The purpose of ISO 27001 Annex A 6.6 is a preventive control that ensures you maintain confidentiality for information that is accessed by people, external parties and suppliers.

ISO 27001 Annex A 6.6 Definition

The ISO 27001 standard defines ISO 27001:Annex A 6.6 as:

Confidentiality or non-disclosure agreements reflecting the organisation’s needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.

ISO 27001:2022 Annex A 6.6 Confidentiality or Non-Disclosure Agreements

DO IT YOURSELF ISO27001

Stop Spanking £10,000’s on Consultants and Platforms

ISO 27001 Toolkit Business Edition

ISO 27001 Annex A 6.6 Implementation Guide

You are going to have to ensure that:

  • you have engaged a legal professional
  • your contracts include confidentiality of information using terms that are legally enforceable
  • information that requires protecting has been identified
  • information has been classified
  • Non-disclosure agreements or contracts are signed and in place where required

How to determine what terms you need to include

First, the advice is to consult a legal professional. For general guidance when deciding terms consider:

  • What information will be accessed
  • What classification is the information
  • What will the information be used for

How to identify requirements

When deciding on the requirements to include in the non disclosure agreement or confidentiality clause:

  • A definition of what confidential information is
  • How long the agreement will last for
  • What will happen when the agreement ends
  • What are the responsibilities of all signing the agreement
  • Who owns what information, intellectual property, trade secrets
  • What is the permitted use of confidential information
  • A right to audit
  • How to inform each other of a breach
  • What to do if people don’t stick to the agreements
  • What laws apply

What are the steps involved in drafting a confidentiality or non-disclosure agreement?

The steps involved in drafting a confidentiality agreement include:

  1. Identifying the information that needs to be protected
  2. Determining the scope of the agreement
  3. Defining the terms of the agreement
  4. Reviewing and negotiating the agreement
  5. Obtaining signatures on the agreement

What are the key terms that should be included in a confidentiality or non-disclosure agreement?

The key terms that should be included in a confidentiality agreement include:

  • The definition of confidential information
  • The scope of the agreement
  • The obligations of the parties
  • The duration of the agreement
  • The remedies for breach of the agreement

What are the challenges of using confidentiality or non-disclosure agreements?

The challenges of using confidentiality agreements include:

  • Ensuring that the agreements are properly drafted and implemented
  • Obtaining signatures on the agreements
  • Enforcing the agreements

Confidentiality agreements are legal documents, and they should be drafted and implemented in accordance with applicable law. It is best to engage with a legal professional. In some jurisdictions, confidentiality agreements may be unenforceable if they are not drafted in a certain way or if they do not include certain terms.

Who is responsible for drafting and implementing confidentiality or non-disclosure agreements?

The organisation is responsible for drafting and implementing confidentiality agreements. The organisations legal department is typically responsible for drafting the agreements, and the organisation’s human resources department is typically responsible for implementing them. Seek legal advice whether that is internal or external resource.

Stuart - High Table - ISO27001 Ninja - 3

ISO 27001 Templates

Having an ISO 27001 template for control 6.6 can help fast track your implementation. The ISO 27001 Toolkit is the ultimate resource for your ISO 27001 implementation.

What are the Benefits of Confidentiality or Non-Disclosure Agreements?

Other than your ISO 27001 certification requiring it, the following are the top 6 benefits of ISO 27001 Annex A 6.6 Confidentiality or Non-Disclosure Agreements: 

  • You cannot get ISO 27001 certification without it.
  • Protecting confidential information
  • Reducing the risk of data breaches
  • Mitigating legal liability
  • Building trust with employees and third parties
  • Reputation Protection: In the event of a breach having a agreements in place will reduce the potential for fines and reduce the PR impact of an event

Why are confidentiality or non disclosure agreements important?

Confidentiality or non-disclosure agreements (CDAs) are important because they help to protect confidential information. This information can include trade secrets, financial data, customer lists, and other proprietary information. By requiring employees and third parties to sign CDAs, organisations can help to ensure that this information is not disclosed to unauthorised individuals.

CDAs are also important because they can help to mitigate legal liability. If confidential information is disclosed in violation of a CDA, the organization may be able to sue the individual who disclosed the information for damages.

Finally, CDAs can help to build trust with employees and third parties. By requiring these individuals to sign CDAs, organisations can demonstrate that they are committed to protecting confidential information. This can help to build trust and loyalty, which can be beneficial to the organisation in the long run.

ISO 27001 Annex A 6.6 FAQ

ISO 27001 Annex A 6.6 sample PDF?

ISO 27001 Annex A 6.6 Sample PDF is in the High Table ISO 27001 Toolkit

Are there free templates for ISO 27001 Annex A 6.6?

There are templates for ISO 27001 included in the High Table ISO 27001 Toolkit

Do I have to satisfy ISO 27001 Annex A 6.6 for ISO 27001 Certification?

Yes. Laws and regulations require that contracts in place to manage the relationship between entities and include information security requirements in those contracts and non-disclosure agreements is required.

Can I write non-disclosure and confidentiality agreements myself?

No. It is not advised that you write these yourself. You seek the help of a professional. Legal advice should be sought.

Where can I get templates for ISO 27001 Annex A 6.6?

ISO 27001 templates for ISO 27001 Annex A 6.6 are part of the High Table ISO 27001 Toolkit

How hard is ISO 27001 Annex A 6.6?

ISO 27001 Annex A 6.6 is hard. It is a profession in its own right and you should seek the help of legal counsel.

How long will ISO 27001 Annex A 6.6 take me?

ISO 27001 Annex A 6.6 is dependant on you seeking legal advice and the time it takes for the legal counsel to provide the required documents and clauses.

How much will ISO 27001 Annex A 6.6 cost me?

The cost of Annex A 6.6 is dependant on the cost of the legal advice you seek.

ISO 27001 Controls and Attribute values

Control typeInformation
security properties
Cybersecurity
concepts
Operational
capabilities
Security domains
PreventiveAvailability
Confidentiality
Integrity
ProtectHuman resource security
Information protection
Supplier relationships
Governance and ecosystem

ISO 27001:2022 requirements

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing