ISO 27001:2022 Annex A 6.6 Checklist Guide •

ISO 27001:2022 Annex A 6.6 Checklist Guide

See how ISMS.online can help your business

See it in action
By Max Edwards | Updated 15 August 2024

Using a checklist for A.6.6 Confidentiality or Non-Disclosure Agreements ensures comprehensive coverage of compliance requirements, streamlining the management and monitoring of confidentiality commitments effectively. It enhances organisational accountability, fosters a culture of information security, and simplifies the audit process.

Jump to topic

ISO 27001 A.6.6 Confidentiality or Non-Disclosure Agreements Checklist

A.6.6 Confidentiality or Non-Disclosure Agreements is a critical control within ISO/IEC 27001:2022, focused on ensuring that all parties involved in handling sensitive information understand and commit to maintaining its confidentiality.

This control mandates the establishment and management of legally binding agreements that obligate individuals or organisations to protect confidential information from unauthorised access or disclosure.

Implementing this control effectively is essential for safeguarding sensitive data, maintaining trust, and complying with legal and regulatory requirements.


Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

Why Should You Comply With Annex A.6.6? Key Aspects and Common Challenges

1. Agreement Definition

Scope and Purpose: Clearly define the scope, purpose, and extent of the confidentiality obligations. This includes specifying what constitutes confidential information and the circumstances under which it is shared.

    Challenge: Ensuring comprehensive coverage of all confidential information while avoiding overly broad or restrictive terms.

  • Solution: Collaborate with legal experts to draft clear and precise agreements. Conduct regular reviews to ensure coverage of all critical areas. Utilise examples to illustrate what constitutes confidential information.
  • Related ISO 27001 Clauses: Understanding the context of the organisation and stakeholder requirements (Clause 4.1, 4.2).

Legal Binding: Ensure that the agreements are legally binding, providing a clear framework for the expectations and responsibilities of all parties.

    Challenge: Navigating complex legal requirements across different jurisdictions and ensuring enforceability.

  • Solution: Consult with international legal advisers to address jurisdiction-specific requirements and ensure agreements are enforceable globally.
  • Related ISO 27001 Clauses: Leadership commitment and resource provision (Clause 5.1).

2. Agreement Management

Documentation: Properly document all confidentiality or non-disclosure agreements. This includes keeping records of who has signed the agreements and the specific terms agreed upon.

    Challenge: Managing and organising large volumes of agreements, especially in large organisations with many employees and third parties.

  • Solution: Utilise document management systems to store and organise agreements. Implement version control to track changes and updates.
  • Related ISO 27001 Clauses: Documented information and control of documented information (Clause 7.5).

Accessibility: Make the agreements easily accessible to those who need to understand their obligations, including employees, contractors, and third parties.

    Challenge: Ensuring secure and convenient access while preventing unauthorised access to sensitive documents.

  • Solution: Use secure document sharing platforms with role-based access controls to ensure only authorised personnel can access sensitive agreements.
  • Related ISO 27001 Clauses: Control of documented information and communication (Clause 7.4).

3. Communication and Training

Awareness: Ensure that individuals who sign the agreements are fully aware of their responsibilities and the importance of protecting confidential information.

    Challenge: Effectively communicating the importance of confidentiality and ensuring consistent understanding across diverse audiences.

  • Solution: Develop targeted communication plans and awareness programmes to highlight the importance of confidentiality. Use multiple channels to reinforce the message.
  • Related ISO 27001 Clauses: Awareness and training (Clause 7.2, 7.3).

Training: Provide training on handling confidential information and the consequences of non-compliance with the agreements.

  • Challenge: Developing and delivering engaging and comprehensive training programmes that address various learning styles and levels of understanding.
  • Solution: Leverage e-learning platforms to deliver interactive and modular training programmes. Regularly update training content to reflect current best practices and regulations.
  • Related ISO 27001 Clauses: Competence and awareness (Clause 7.2, 7.3).

4. Regular Review and Updates

Periodic Review: Regularly review the agreements to ensure they remain relevant and effective in protecting confidential information.

    Challenge: Keeping track of legal and regulatory changes that may necessitate updates to the agreements.

  • Solution: Establish a review schedule and assign responsibility to a compliance officer to monitor legal and regulatory changes and update agreements accordingly.
  • Related ISO 27001 Clauses: Performance evaluation and improvement (Clause 9.1, 10.2).

Updates: Update the agreements as necessary to reflect changes in laws, regulations, or organisational practices.

    Challenge: Ensuring timely and consistent updates across all agreements and communicating these changes effectively to all stakeholders.

  • Solution: Implement a version control system and notification mechanism to inform all relevant parties of updates and require acknowledgment of the new terms.
  • Related ISO 27001 Clauses: Control of changes and improvement (Clause 8.2, 8.3).

5. Compliance Monitoring

Enforcement: Implement mechanisms to monitor compliance with the agreements and enforce the terms when necessary.

    Challenge: Detecting and addressing breaches promptly and effectively, particularly in large and complex organisations.

  • Solution: Utilise compliance monitoring tools and conduct regular audits to ensure adherence to agreements. Establish clear protocols for addressing non-compliance.
  • Related ISO 27001 Clauses: Monitoring, measurement, analysis, and evaluation (Clause 9.1, 9.2).

Incident Response: Establish procedures for responding to breaches of confidentiality, including investigation, remediation, and disciplinary actions if needed.

    Challenge: Coordinating a swift and effective response to breaches, including gathering evidence and implementing corrective actions.

  • Solution: Develop and maintain an incident response plan that outlines steps for detecting, reporting, and responding to breaches. Conduct regular drills to ensure preparedness.
  • Related ISO 27001 Clauses: Incident management and nonconformity and corrective action (Clause 10.1, 10.2).


Compliance doesn't have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

ISMS.online Features for Demonstrating Compliance with A.6.6

1. Policy Management

  • Policy Templates: Utilise pre-built templates to create comprehensive confidentiality or non-disclosure agreements.
  • Version Control: Maintain and track different versions of agreements to ensure that the most current and relevant versions are used.

    • Challenge: Ensuring that all stakeholders are aware of and use the latest versions of agreements.
    • Solution: Use ISMS.online’s version control feature to manage document updates and communicate changes effectively.

2. Documentation

  • Document Access: Provide secure access to confidentiality agreements and related documents, ensuring they are available to relevant parties.
  • Retention Management: Implement retention policies to keep agreements for the required period, ensuring compliance with legal and regulatory requirements.

    • Challenge: Balancing the need for document retention with privacy and data protection concerns.
    • Solution: Use ISMS.online’s secure document management system to control access and retention of documents.

3. Training and Awareness

  • Training Modules: Develop and deliver training programmes to educate employees and third parties about their responsibilities under the confidentiality agreements.
  • Acknowledgment Tracking: Track acknowledgments to confirm that individuals have read and understood the confidentiality agreements.

    • Challenge: Ensuring high engagement and completion rates for training and acknowledgment tracking.
    • Solution: Leverage ISMS.online’s training and acknowledgment tracking features to monitor compliance and engagement.

4. Compliance Monitoring

  • Audit Management: Conduct regular audits to ensure adherence to confidentiality agreements and document any non-compliance issues.
  • Incident Management: Use the incident tracker to log, manage, and respond to any breaches of confidentiality, ensuring a structured approach to incident response.

    • Challenge: Maintaining a comprehensive and up-to-date incident management system to quickly identify and address breaches.
    • Solution: Utilise ISMS.online’s audit and incident management tools to systematically manage compliance and incident response.

5. Communication

  • Notification System: Use alerts and notifications to remind individuals of their obligations under the confidentiality agreements and inform them of any updates or changes.

    • Challenge: Ensuring timely and clear communication of updates and reminders without overwhelming recipients with information.
    • Solution: Use ISMS.online’s notification system to manage and automate communications regarding agreement updates and compliance reminders.

Benefits of Using ISMS.online

  • Streamlined Management: Centralises the management of confidentiality agreements, making it easier to track, update, and enforce them.
  • Improved Accountability: Ensures that all parties are aware of their responsibilities and can be held accountable for any breaches.
  • Efficient Compliance: Simplifies the process of demonstrating compliance with ISO 27001:2022 through structured documentation, training, and monitoring tools.

Detailed Annex A.6.6 Compliance Checklist

1. Agreement Definition

Clearly define the scope and purpose of the confidentiality agreements.

Specify what constitutes confidential information.

Ensure agreements are legally binding across all relevant jurisdictions.

2. Agreement Management

Document all confidentiality or non-disclosure agreements.

Keep records of all signed agreements.

Ensure agreements are accessible to relevant parties.

Secure access to confidential documents to prevent unauthorised access.

3. Communication and Training

Communicate the importance of confidentiality to all stakeholders.

Provide comprehensive training on handling confidential information.

Track acknowledgment of understanding from all individuals who sign the agreements.

4. Regular Review and Updates

Conduct periodic reviews of confidentiality agreements.

Update agreements to reflect changes in laws, regulations, or organisational practices.

Communicate any updates or changes to all relevant parties.

5. Compliance Monitoring

Implement mechanisms to monitor compliance with confidentiality agreements.

Enforce the terms of the agreements as necessary.

Establish procedures for responding to breaches of confidentiality.

Document incidents and corrective actions taken.


Manage all your compliance in one place

ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.

Book a demo

Every Annex A Control Checklist Table

ISO 27001 Annex A.5 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.5.1Policies for Information Security Checklist
Annex A.5.2Information Security Roles and Responsibilities Checklist
Annex A.5.3Segregation of Duties Checklist
Annex A.5.4Management Responsibilities Checklist
Annex A.5.5Contact With Authorities Checklist
Annex A.5.6Contact With Special Interest Groups Checklist
Annex A.5.7Threat Intelligence Checklist
Annex A.5.8Information Security in Project Management Checklist
Annex A.5.9Inventory of Information and Other Associated Assets Checklist
Annex A.5.10Acceptable Use of Information and Other Associated Assets Checklist
Annex A.5.11Return of Assets Checklist
Annex A.5.12Classification of Information Checklist
Annex A.5.13Labelling of Information Checklist
Annex A.5.14Information Transfer Checklist
Annex A.5.15Access Control Checklist
Annex A.5.16Identity Management Checklist
Annex A.5.17Authentication Information Checklist
Annex A.5.18Access Rights Checklist
Annex A.5.19Information Security in Supplier Relationships Checklist
Annex A.5.20Addressing Information Security Within Supplier Agreements Checklist
Annex A.5.21Managing Information Security in the ICT Supply Chain Checklist
Annex A.5.22Monitoring, Review and Change Management of Supplier Services Checklist
Annex A.5.23Information Security for Use of Cloud Services Checklist
Annex A.5.24Information Security Incident Management Planning and Preparation Checklist
Annex A.5.25Assessment and Decision on Information Security Events Checklist
Annex A.5.26Response to Information Security Incidents Checklist
Annex A.5.27Learning From Information Security Incidents Checklist
Annex A.5.28Collection of Evidence Checklist
Annex A.5.29Information Security During Disruption Checklist
Annex A.5.30ICT Readiness for Business Continuity Checklist
Annex A.5.31Legal, Statutory, Regulatory and Contractual Requirements Checklist
Annex A.5.32Intellectual Property Rights Checklist
Annex A.5.33Protection of Records Checklist
Annex A.5.34Privacy and Protection of PII Checklist
Annex A.5.35Independent Review of Information Security Checklist
Annex A.5.36Compliance With Policies, Rules, and Standards for Information Security Checklist
Annex A.5.37Documented Operating Procedures Checklist


ISO 27001 Annex A.6 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.6.1Screening Checklist
Annex A.6.2Terms and Conditions of Employment Checklist
Annex A.6.3Information Security Awareness, Education and Training Checklist
Annex A.6.4Disciplinary Process Checklist
Annex A.6.5Responsibilities After Termination or Change of Employment Checklist
Annex A.6.6Confidentiality or Non-Disclosure Agreements Checklist
Annex A.6.7Remote Working Checklist
Annex A.6.8Information Security Event Reporting Checklist


ISO 27001 Annex A.7 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.7.1Physical Security Perimeters Checklist
Annex A.7.2Physical Entry Checklist
Annex A.7.3Securing Offices, Rooms, and Facilities Checklist
Annex A.7.4Physical Security Monitoring Checklist
Annex A.7.5Protecting Against Physical and Environmental Threats Checklist
Annex A.7.6Working in Secure Areas Checklist
Annex A.7.7Clear Desk and Clear Screen Checklist
Annex A.7.8Equipment Siting and Protection Checklist
Annex A.7.9Security of Assets Off-Premises Checklist
Annex A.7.10Storage Media Checklist
Annex A.7.11Supporting Utilities Checklist
Annex A.7.12Cabling Security Checklist
Annex A.7.13Equipment Maintenance Checklist
Annex A.7.14Secure Disposal or Re-Use of Equipment Checklist


ISO 27001 Annex A.8 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.8.1User Endpoint Devices Checklist
Annex A.8.2Privileged Access Rights Checklist
Annex A.8.3Information Access Restriction Checklist
Annex A.8.4Access to Source Code Checklist
Annex A.8.5Secure Authentication Checklist
Annex A.8.6Capacity Management Checklist
Annex A.8.7Protection Against Malware Checklist
Annex A.8.8Management of Technical Vulnerabilities Checklist
Annex A.8.9Configuration Management Checklist
Annex A.8.10Information Deletion Checklist
Annex A.8.11Data Masking Checklist
Annex A.8.12Data Leakage Prevention Checklist
Annex A.8.13Information Backup Checklist
Annex A.8.14Redundancy of Information Processing Facilities Checklist
Annex A.8.15Logging Checklist
Annex A.8.16Monitoring Activities Checklist
Annex A.8.17Clock Synchronisation Checklist
Annex A.8.18Use of Privileged Utility Programs Checklist
Annex A.8.19Installation of Software on Operational Systems Checklist
Annex A.8.20Networks Security Checklist
Annex A.8.21Security of Network Services Checklist
Annex A.8.22Segregation of Networks Checklist
Annex A.8.23Web Filtering Checklist
Annex A.8.24Use of Cryptography Checklist
Annex A.8.25Secure Development Life Cycle Checklist
Annex A.8.26Application Security Requirements Checklist
Annex A.8.27Secure System Architecture and Engineering Principles Checklist
Annex A.8.28Secure Coding Checklist
Annex A.8.29Security Testing in Development and Acceptance Checklist
Annex A.8.30Outsourced Development Checklist
Annex A.8.31Separation of Development, Test and Production Environments Checklist
Annex A.8.32Change Management Checklist
Annex A.8.33Test Information Checklist
Annex A.8.34Protection of Information Systems During Audit Testing Checklist


How ISMS.online Help With A.6.6

Ready to enhance your organisation’s information security posture and ensure compliance with ISO 27001:2022?

Discover how ISMS.online can streamline your management of confidentiality or non-disclosure agreements and much more. Our comprehensive platform provides the tools and features you need to implement and maintain robust information security practices effectively.

Take the first step towards securing your sensitive information and achieving ISO 27001:2022 compliance.

Contact ISMS.online today to book a demo and see how our solution can transform your information security management system.

complete compliance solution

Want to explore?
Start your free trial.

Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer

Find out more

Explore ISMS.online's platform with a self-guided tour - Start Now