ISO 27001:2022 Annex A Control 6.6

What Is the Purpose of ISO 27001:2022 Annex A 6.6?

ISO 27001:2022 Annex A 6.6 should be applied to ensure the security of data when personnel, partners, and vendors collaborate with an organisation.

This control is designed to secure the organisation’s data and to inform signatories of their obligation to manage and safeguard information responsibly and lawfully. It also serves as a tool for preserving intellectual property rights, for instance, patents, trademarks, trade secrets and copyrights.

Employers should ensure a Non-Disclosure Agreement is in place before any confidential information is disclosed to an employee or contractor. The Agreement will clarify the individual’s responsibility to maintain the secrecy of the information and the duration of the period of confidentiality after employment has ended.

Annex A 6.6 Explained

ISO 27001:2022 Annex A Control 6.6 is designed to safeguard your organisation’s intellectual property and business interests by stopping the divulging of confidential data to third parties. It involves the establishment of a legal agreement or arrangement between your organisation and its personnel, associates, contractors, suppliers and other outsiders, that controls the use of classified information.

Confidential information is any data that has not been made public or shared with other organisations in the same sector. This encompasses trade secrets, client registries, formulas and business strategies.

Assess control when deciding if a third party will be allowed access to sensitive personal data and if steps must be taken to guarantee they do not keep or continue to access the organisation’s sensitive personal data when they leave.

When a third party is leaving an organisation, and there is potential for sensitive data to be exposed, the organisation must take necessary steps to prevent disclosure before or shortly after their departure.

What Is Involved and How to Meet the Requirements

ISO 27001:2022 Annex A 6.6 requires that parties to the agreement refrain from disclosing confidential information that falls under its scope. Consent from the organisation is needed in any cases where disclosure is necessary, barring a court order. This provision is essential to safeguard data concerning business activities, intellectual property and research and development.

To comply with Annex A 6.6, a confidentiality and non-disclosure agreement/contract must be prepared with precision to protect all trade secrets and sensitive data/information related to the company’s activities and transactions. It is essential that both parties comprehend their duties and responsibilities under the agreement during and after the conclusion of the business partnership.

A confidentiality clause may be included in contracts that stretch beyond the employee’s employment or the engagement of third parties. This should be done to ensure the information remains secure.

It is essential that a departing employee or one changing job has their security duties and responsibilities transferred to someone new, with all access credentials removed and fresh ones created.

When assessing confidentiality and non-disclosure agreements, one should bear several elements in mind.:

• The confidential data that must be safeguarded.
• The Agreement’s duration, including occasions when confidentiality must be sustained perpetually or until the data is made public, shall be determined.
• In the event of the termination of an agreement, the necessary steps that must be taken.
• Signatories must take all necessary action to prevent the unauthorised disclosure of information.
• Ownership of data, confidential business knowledge and intellectual property that has an effect on confidentiality.
• The signatory has the right to use confidential information in accordance with the authorisation.
• The entitlement to oversee or evaluate activities involving extremely classified data.
• The process for informing and informing of unapproved revelations or spills of private information must be followed.
• Upon termination of this agreement, any data or information shared between parties must be returned or destroyed.
• If the agreement is not adhered to, what measures will be taken.

The organisation should ensure that confidentiality and non-disclosure agreements abide by the laws of the relevant jurisdiction.

Periodically and when changes affect their requirements, it is necessary to review confidentiality and non-disclosure agreements.

Further details on this process can be located in the ISO 27001:2022 standard.

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 6.6 is a modification of ISO 27001:2013 Annex A 13.2.4, rather than a new control.

The two Annex A Controls have various parallels, though they are not identical. For example, the implementation instructions of both are alike, though not the same.

The first part of ISO 27001:2013 implementation guidance, Annex A 13.2.4, emphasises that:

“Confidentiality or non-disclosure agreements should address the requirement to protect confidential information using legally enforceable terms. Confidentiality or non-disclosure agreements are applicable to external parties or employees of the organisation.

Elements should be selected or added in consideration of the type of the other party and its permissible access or handling of confidential information.”

Annex A 6.6 of ISO 27001:2022 declares that any organisation must take appropriate measures to:

“Confidentiality or non-disclosure agreements should address the requirement to protect confidential information using legally enforceable terms. Confidentiality or non-disclosure agreements are applicable to interested parties and personnel of the organisation.

Based on an organisation’s information security requirements, the terms in the agreements should be determined by taking into consideration the type of information that will be handled, its classification level, its use and the permissible access by the other party.”

Both controls have an analogous structure and function in their individual contexts, though they vary in semantic meaning. Annex A 6.6 uses a more straightforward, user-friendly language, making it easier to comprehend the content and context. Hence, users can more readily identify with the standard.

The 2022 instalment of ISO 27001 includes statements of intent and attribute tables per Annex A Control, to aid understanding and successful implementation. This is not provided in the 2013 edition.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

Who Is in Charge of This Process?

Per Annex A 6.6 of ISO 27001:2022, the Human Resources department typically oversees drafting and enforcing the Confidentiality/Non-Disclosure Agreement in most organisations, working in conjunction with the relevant third party’s supervising manager/department.

The Information Security Officer, Sales, or Production Manager can all act as the Supervising Manager.

The departments and heads must guarantee that any third-party vendors employed by the organisation have proper safety precautions to protect confidential data from unapproved release or utilisation.

All employees must sign a confidentiality agreement at the start of their employment with the company.

In many organisations, irrespective of size, all staff who handle confidential information are required to sign a confidentiality or non-disclosure agreement.

Employees in sales, marketing, customer service and other departments who interact with confidential information regarding clients, customers and vendors must be given training.

Organisations should have policies in place mandating staff to sign a confidentiality agreement prior to gaining access to sensitive information concerning clients or vendors, even if no written agreement is present.

Failure to have a confidentiality agreement policy may lead to serious risks. These risks include:

• Employees can, unintentionally, divulge confidential information to individuals outside of the business who should not have access, thus damaging the organisation.
• An employee may divulge sensitive information to a rival.
• A disgruntled worker may steal the firm’s intellectual property and employ it for their own gain.
• Workers may inadvertently leave confidential data on their desktops at the office or on their laptops at home, risking theft by a cyber-criminal.

What Do These Changes Mean for You?

The ISO 27001 standard remains largely unchanged. To enhance usability, it was simply updated. Organisations adhering to this standard thus need not take any extra steps to remain compliant.

In order to meet the changes in ISO 27001:2022, the organisation may need to make slight alterations to their current processes and procedures, especially if they require re-certification.

To gain further insight into the impact of amending ISO 27001:2022 on your business, kindly consult our ISO 27001 guide.

How ISMS.Online Help

ISMS.Online facilitates organisations and businesses in meeting the standards of ISO 27001:2022 by providing a platform that simplifies the management of confidentiality or non-disclosure protocols, allowing them to be updated as necessary, tested, and tracked for efficacy.

We provide a cloud-based platform to manage Confidentiality and Information Security Management Systems, including non-disclosure clauses, risk management, policies, plans, and procedures, all in one centralised spot. The platform is user-friendly and has an intuitive interface that makes it simple to learn.

ISMS.Online facilitates:

• Record your processes conveniently with this user-friendly interface. No need to install any software on your machine or network!
• Streamline your risk assessment process by automating it.
• Ensure adherence to regulations with online reports and checklists.
• Maintain a register of advancement while striving for certification.

ISMS.Online provides a comprehensive selection of tools to help companies and organisations fulfill the requirements of ISO 27001 and/or ISO 27001 ISMS. We make it easy to comply with the industry standard and give you peace of mind.

Get in touch with us now to arrange a demonstration.