ISO 27001:2022 Annex A Control 6.6

Confidentiality or Non-Disclosure Agreements

Book a demo

image,of,man's,hands,typing.,selective,focus

What is ISO 27001:2022 Annex A 6.6?

ISO 27001:2022 Annex A 6.6 states that organisations must put measures in place to protect confidential information from unauthorised disclosure. This includes establishing confidentiality agreements with interested parties and staff.

Organisations should create terms for their agreements with other parties after considering the organisation’s information security needs, the kind of information to be managed, its classification level, the purpose it is meant for, and the access the other party is allowed.

Confidentiality or Non-Disclosure Agreements Explained

A Confidentiality or Non-Disclosure Agreement (NDA) is a legal document that bars the disclosure of trade secrets and other confidential info.

Confidential information can encompass a company’s business plan, financial figures, customers lists, and other exclusive details. These contracts are utilised in a variety of circumstances, such as:

  • A confidentiality agreement may form part of an employment contract for a fresh recruit. This ensures that the employee refrains from divulging any confidential information regarding the business, its products or services, personnel or suppliers. Businesses also employ non-disclosure agreements to bar their former employees from revealing sensitive information post-employment.
  • Confidentiality agreements are regularly included in business deals, like purchasing a firm, combining with another company, or selling an enterprise. These agreements are designed to stop both parties from revealing any confidential information obtained during the transaction.
  • Partnerships involve the use of confidentiality agreements when one party wants to safeguard their existing client or supplier relationships from being disclosed to a fresh partner. For example, if an enterprise requires funding from venture capitalists, it may request these investors to sign NDAs to secure confidential data concerning the company’s products or services.

Partnerships often feature confidentiality clauses in their partnership agreement, whereby each partner agrees to keep any confidential information acquired during the partnership wholly confidential.

Purpose of Confidentiality Agreements

Confidentiality agreements are commonly used by individuals and businesses alike. They serve a range of objectives, including:

  • Protecting their trade secrets and proprietary information from competitors who could exploit it.
  • Prevent staff from divulging sensitive corporate data to other organisations.
  • Securing intellectual property rights such as patents and copyrights.

What Is the Purpose of ISO 27001:2022 Annex A 6.6?

ISO 27001:2022 Annex A 6.6 should be applied to ensure the security of data when personnel, partners, and vendors collaborate with an organisation.

This control is designed to secure the organisation’s data and to inform signatories of their obligation to manage and safeguard information responsibly and lawfully. It also serves as a tool for preserving intellectual property rights, for instance, patents, trademarks, trade secrets and copyrights.

Employers should ensure a Non-Disclosure Agreement is in place before any confidential information is disclosed to an employee or contractor. The Agreement will clarify the individual’s responsibility to maintain the secrecy of the information and the duration of the period of confidentiality after employment has ended.

Annex A 6.6 Explained

ISO 27001:2022 Annex A Control 6.6 is designed to safeguard your organisation’s intellectual property and business interests by stopping the divulging of confidential data to third parties. It involves the establishment of a legal agreement or arrangement between your organisation and its personnel, associates, contractors, suppliers and other outsiders, that controls the use of classified information.

Confidential information is any data that has not been made public or shared with other organisations in the same sector. This encompasses trade secrets, client registries, formulas and business strategies.

Assess control when deciding if a third party will be allowed access to sensitive personal data and if steps must be taken to guarantee they do not keep or continue to access the organisation’s sensitive personal data when they leave.

When a third party is leaving an organisation, and there is potential for sensitive data to be exposed, the organisation must take necessary steps to prevent disclosure before or shortly after their departure.

What Is Involved and How to Meet the Requirements

ISO 27001:2022 Annex A 6.6 requires that parties to the agreement refrain from disclosing confidential information that falls under its scope. Consent from the organisation is needed in any cases where disclosure is necessary, barring a court order. This provision is essential to safeguard data concerning business activities, intellectual property and research and development.

To comply with Annex A 6.6, a confidentiality and non-disclosure agreement/contract must be prepared with precision to protect all trade secrets and sensitive data/information related to the company’s activities and transactions. It is essential that both parties comprehend their duties and responsibilities under the agreement during and after the conclusion of the business partnership.

A confidentiality clause may be included in contracts that stretch beyond the employee’s employment or the engagement of third parties. This should be done to ensure the information remains secure.

It is essential that a departing employee or one changing job has their security duties and responsibilities transferred to someone new, with all access credentials removed and fresh ones created.

When assessing confidentiality and non-disclosure agreements, one should bear several elements in mind.:

  • The confidential data that must be safeguarded.
  • The Agreement’s duration, including occasions when confidentiality must be sustained perpetually or until the data is made public, shall be determined.
  • In the event of the termination of an agreement, the necessary steps that must be taken.
  • Signatories must take all necessary action to prevent the unauthorised disclosure of information.
  • Ownership of data, confidential business knowledge and intellectual property that has an effect on confidentiality.
  • The signatory has the right to use confidential information in accordance with the authorisation.
  • The entitlement to oversee or evaluate activities involving extremely classified data.
  • The process for informing and informing of unapproved revelations or spills of private information must be followed.
  • Upon termination of this agreement, any data or information shared between parties must be returned or destroyed.
  • If the agreement is not adhered to, what measures will be taken.

The organisation should ensure that confidentiality and non-disclosure agreements abide by the laws of the relevant jurisdiction.

Periodically and when changes affect their requirements, it is necessary to review confidentiality and non-disclosure agreements.

Further details on this process can be located in the ISO 27001:2022 standard.

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 6.6 is a modification of ISO 27001:2013 Annex A 13.2.4, rather than a new control.

The two Annex A Controls have various parallels, though they are not identical. For example, the implementation instructions of both are alike, though not the same.

The first part of ISO 27001:2013 implementation guidance, Annex A 13.2.4, emphasises that:

“Confidentiality or non-disclosure agreements should address the requirement to protect confidential information using legally enforceable terms. Confidentiality or non-disclosure agreements are applicable to external parties or employees of the organisation.

Elements should be selected or added in consideration of the type of the other party and its permissible access or handling of confidential information.”

Annex A 6.6 of ISO 27001:2022 declares that any organisation must take appropriate measures to:

“Confidentiality or non-disclosure agreements should address the requirement to protect confidential information using legally enforceable terms. Confidentiality or non-disclosure agreements are applicable to interested parties and personnel of the organisation.

Based on an organisation’s information security requirements, the terms in the agreements should be determined by taking into consideration the type of information that will be handled, its classification level, its use and the permissible access by the other party.”

Both controls have an analogous structure and function in their individual contexts, though they vary in semantic meaning. Annex A 6.6 uses a more straightforward, user-friendly language, making it easier to comprehend the content and context. Hence, users can more readily identify with the standard.

The 2022 instalment of ISO 27001 includes statements of intent and attribute tables per Annex A Control, to aid understanding and successful implementation. This is not provided in the 2013 edition.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

Who Is in Charge of This Process?

Per Annex A 6.6 of ISO 27001:2022, the Human Resources department typically oversees drafting and enforcing the Confidentiality/Non-Disclosure Agreement in most organisations, working in conjunction with the relevant third party’s supervising manager/department.

The Information Security Officer, Sales, or Production Manager can all act as the Supervising Manager.

The departments and heads must guarantee that any third-party vendors employed by the organisation have proper safety precautions to protect confidential data from unapproved release or utilisation.

All employees must sign a confidentiality agreement at the start of their employment with the company.

In many organisations, irrespective of size, all staff who handle confidential information are required to sign a confidentiality or non-disclosure agreement.

Employees in sales, marketing, customer service and other departments who interact with confidential information regarding clients, customers and vendors must be given training.

Organisations should have policies in place mandating staff to sign a confidentiality agreement prior to gaining access to sensitive information concerning clients or vendors, even if no written agreement is present.

Failure to have a confidentiality agreement policy may lead to serious risks. These risks include:

  • Employees can, unintentionally, divulge confidential information to individuals outside of the business who should not have access, thus damaging the organisation.
  • An employee may divulge sensitive information to a rival.
  • A disgruntled worker may steal the firm’s intellectual property and employ it for their own gain.
  • Workers may inadvertently leave confidential data on their desktops at the office or on their laptops at home, risking theft by a cyber-criminal.

What Do These Changes Mean for You?

The ISO 27001 standard remains largely unchanged. To enhance usability, it was simply updated. Organisations adhering to this standard thus need not take any extra steps to remain compliant.

In order to meet the changes in ISO 27001:2022, the organisation may need to make slight alterations to their current processes and procedures, especially if they require re-certification.

To gain further insight into the impact of amending ISO 27001:2022 on your business, kindly consult our ISO 27001 guide.

How ISMS.Online Help

ISMS.Online facilitates organisations and businesses in meeting the standards of ISO 27001:2022 by providing a platform that simplifies the management of confidentiality or non-disclosure protocols, allowing them to be updated as necessary, tested, and tracked for efficacy.

We provide a cloud-based platform to manage Confidentiality and Information Security Management Systems, including non-disclosure clauses, risk management, policies, plans, and procedures, all in one centralised spot. The platform is user-friendly and has an intuitive interface that makes it simple to learn.

ISMS.Online facilitates:

  • Record your processes conveniently with this user-friendly interface. No need to install any software on your machine or network!
  • Streamline your risk assessment process by automating it.
  • Ensure adherence to regulations with online reports and checklists.
  • Maintain a register of advancement while striving for certification.

ISMS.Online provides a comprehensive selection of tools to help companies and organisations fulfill the requirements of ISO 27001 and/or ISO 27001 ISMS. We make it easy to comply with the industry standard and give you peace of mind.

Get in touch with us now to arrange a demonstration.

See our platform
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Say hello to ISO 27001 success

Get 81% of the work done for you and get certified faster with ISMS.online

Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.