ISO 27001 Annex A 6.6 Confidentiality Or Non-Disclosure Agreements

ISO 27001 Confidentiality Or Non-Disclosure Agreements

In this ultimate guide to ISO 27001 Annex A 6.6 confidentiality or non-disclosure agreements you will learn

• What ISO 27001 confidentiality agreements are
• How to implement confidentiality and non disclosure agreements for ISO 27001

I am Stuart Barker, author of the Ultimate ISO 27001 Toolkit.

With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.

What is ISO 27001 Annex A 6.6?

ISO 27001 Annex A 6.6 Confidentiality or Non-Disclosure Agreements is an ISO 27001 Annex A control that wants you to ensure that you have non disclosure agreements or confidentiality in contracts. It wants this to be documented, signed, communicated and enforced. Which usually means having a relevant clause in your contracts.

A Confidentiality or Non-Disclosure Agreement (NDA) is a legal contract that prohibits a person or entity from disclosing confidential information to others. This type of agreement is often used in business, employment, and other situations where sensitive or confidential information needs to be shared.

Purpose

The purpose of ISO 27001 Annex A 6.6 Confidentiality or Non-Disclosure Agreement (NDA) is to ensure you maintain confidentiality for information that is accessed by people, external parties and suppliers.

Definition

ISO 27001 defines ISO 27001 Annex A 6.6 as:

Confidentiality or non-disclosure agreements reflecting the organisation’s needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.

ISO 27001:2022 Annex A 6.6 Confidentiality or Non-Disclosure Agreements

Implementation Guide

General Guidance

You are going to have to ensure that:

• you have engaged a legal professional
• your contracts include confidentiality of information using terms that are legally enforceable
• information that requires protecting has been identified
• information has been classified
• Non-disclosure agreements or contracts are signed and in place where required

How to determine what terms you need to include

First, the advice is to consult a legal professional. For general guidance when deciding terms consider:

• What information will be accessed
• What classification is the information
• What will the information be used for

How to identify requirements

When deciding on the requirements to include in the non disclosure agreement or confidentiality clause:

• A definition of what confidential information is
• How long the agreement will last for
• What will happen when the agreement ends
• What are the responsibilities of all signing the agreement
• Who owns what information, intellectual property, trade secrets
• What is the permitted use of confidential information
• A right to audit
• How to inform each other of a breach
• What to do if people don’t stick to the agreements
• What laws apply

The key steps in drafting a confidentiality or non-disclosure agreement

The steps involved in drafting a confidentiality agreement include:

1. Identifying the information that needs to be protected
2. Determining the scope of the agreement
3. Defining the terms of the agreement
4. Reviewing and negotiating the agreement
5. Obtaining signatures on the agreement

Key terms that should be included in a confidentiality or non-disclosure agreement

The key terms that should be included in a confidentiality agreement include:

• The definition of confidential information
• The scope of the agreement
• The obligations of the parties
• The duration of the agreement
• The remedies for breach of the agreement

Challenges of using confidentiality or non-disclosure agreements

The challenges of using confidentiality agreements include:

• Ensuring that the agreements are properly drafted and implemented
• Obtaining signatures on the agreements
• Enforcing the agreements

Legal implications of confidentiality or non-disclosure agreements

Confidentiality agreements are legal documents, and they should be drafted and implemented in accordance with applicable law. It is best to engage with a legal professional. In some jurisdictions, confidentiality agreements may be unenforceable if they are not drafted in a certain way or if they do not include certain terms.

Who is responsible for drafting and implementing confidentiality or non-disclosure agreements?

The organisation is responsible for drafting and implementing confidentiality agreements. The organisations legal department is typically responsible for drafting the agreements, and the organisation’s human resources department is typically responsible for implementing them. Seek legal advice whether that is internal or external resource.

Watch the Tutorial

Watch the ISO 27001 tutorial on confidentiality or non disclosure agreements.

ISO 27001 Templates

Implementing ISO 27001 can be a significant undertaking and incur significant ISO 27001 Costs. To streamline the process and potentially save valuable time and resources, consider utilising pre-written ISO 27001 templates. This ISO 27001 Toolkit offers a comprehensive set of resources specifically designed for those seeking to achieve ISO 27001 certification independently. With this toolkit, you can potentially build your Information Security Management System (ISMS) within a week and be ready for certification within 30 days.

ISO 27001 Annex A 6.6 FAQ

Matrix of ISO 27001 Controls and Attribute values