ISO 27002:2022, Control 6.6 – Confidentiality or Non-Disclosure Agreements

ISO 27002:2022 Revised Controls

Book a demo

team,brainstorming,process.,photo,young,creative,managers,crew,working,with

What is Control 6.6?

Control 6.6 in ISO 27002:2022 covers the need for organisations to prevent the leakage of confidential information by establishing confidentiality agreements with interested parties and personnel.

Organisations should determine the terms of their agreements with other parties based on the organisation’s information security requirements, taking into account the type of information to be handled, its classification level, its intended use, and permitted access by the other party.

Confidentiality or Non-Disclosure Agreements Explained

A confidentiality or non-disclosure agreement (NDA) is a legal document that prevents the release of trade secrets and other confidential information.

Confidential information may include the company’s business plan, financial data, customer lists and other proprietary information. These agreements can be used in a wide range of situations, including:

  • Employment – A confidentiality agreement may be part of the employment contract for a new employee. The agreement ensures that the employee does not disclose any confidential information about the company, its products or services, employees or vendors. Non-disclosure agreements are also used by businesses to prevent their employees from disclosing sensitive information after they leave their jobs.
  • Business transactions – Confidentiality agreements are often included in business transactions, such as purchasing a company, merging with another company or selling a business. The purpose of these agreements is to prevent both parties from disclosing any confidential information obtained during the transaction.
  • Partnerships – Confidentiality agreements are often used in business transactions when one party wants to protect its existing relationships with customers or suppliers from being disclosed to a new partner. For example, if a company is seeking funding from venture capitalists, it may ask those investors to sign NDAs in order to protect proprietary information about the company’s products or services.

Partnerships often include confidentiality clauses as part of their partnership agreement so each partner agrees not to disclose any confidential information obtained during their partnership.

Purpose of Confidentiality Agreements

Confidentiality agreements are entered into by individuals and businesses alike. They have many purposes, such as:

  • Protecting trade secrets and proprietary information from competitors who might otherwise use it against them;
  • Preventing an employee from sharing sensitive company information with another company; and
  • Protecting intellectual property (IP) rights like patents and copyrights.
Get a Headstart on ISO 27001
  • All updated with the 2022 control set
  • Make 81% progress from the minute you log in
  • Simple and easy to use
Book your demo
img

Attributes Table

Controls are classified using attributes. Using these, you can quickly match your control selection with commonly used industry terms and specifications.

Attributes for control 6.5 are:

Control Type Information Security Properties Cybersecurity Concepts Operational Capabilities Security Domains
#Preventive#Confidentiality
#Integrity
#Availability
#Protect #Asset Management
#Information Protection
#Physical Security
#System and Network Security
#Protection

What Is the Purpose of Control 6.6?

Control 6.6 should be implemented in order to ensure the security of information when personnel, partners, and vendors work with an organisation.

This control is intended to safeguard the organisation’s information and to inform signatories of their responsibility to handle and protect information in a responsible and authorised way. It is also used as a tool for protecting intellectual property rights, such as patents, trademarks, trade secrets and copyrights.

It is important for employers to have a non-disclosure agreement in place before disclosing any confidential information to an employee or contractor. The agreement will set out how closely the individual should guard the information that they are exposed to and how long the period of confidentiality will run for after employment has ended.

Control 6.6 Explained

Control 6.6 aims to protect the intellectual property and business interests of your organisation by preventing the disclosure of sensitive information to third parties.It refers to a legal contract or an arrangement between your organisation and its employees, partners, contractors, vendors and other third parties that governs the use of confidential information.

Confidential information is any information that has not been made available to the public or other companies in a similar industry. Examples include trade secrets, customer lists, formulas and business plans.

The control should be implemented when assessing whether a third party will have access to sensitive personal data, and whether steps need to be taken to ensure that they do not retain and continue to access the organisation’s sensitive personal data after their departure.

When an organisation determines that a third party is exiting the business relationship, and there is a risk that sensitive organisational or company data may be disclosed as a result, then the organisation must take reasonable steps before that third party leaves, or as soon as possible after they have left, to prevent such disclosure.

I certainly would recommend ISMS.online, it makes setting up and managing your ISMS as easy as it can get.

Peter Risdon
CISO, Viital

Book your demo

Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

What Is Involved and How to Meet the Requirements

Control 6.6 means that the parties to the agreement do not disclose confidential information covered by the agreement. The information may be disclosed only with written consent from the organisation or in accordance with a court order. This is important to protect sensitive information about business practices, intellectual property and research and development.

To meet the requirements of control 6.6, a “confidentiality” and “non-disclosure” agreement/ contract need to be carefully drafted so that it covers all trade secrets and sensitive data/information aspects of the organisation’s dealings and transactions. It is important that both parties understand their obligations under the contract and duties during and after the end of the business relationship.

A confidentiality clause may also be included in other contracts that extend beyond the end of the employee’s employment or third parties engagement.

It is imperative that the person who is leaving a business relationship or changing jobs has his or her security responsibilities and duties passed to a new person, and all access credentials deleted and a new one created.

The following elements should be considered when identifying confidentiality and non-disclosure agreements:

  1. A description of the information that needs to be protected (e.g., confidential data);
  2. Duration of an agreement, including situations where confidentiality must be maintained indefinitely or until the information becomes public;
  3. The required actions in the event of termination of an agreement;
  4. Responsibilities and actions signatories should take to prevent unauthorised disclosure of information;
  5. How ownership of information, trade secrets, and intellectual property affects confidentiality;
  6. The permitted use of confidential information, along with the rights of the signatory to use it;
  7. The right to monitor or audit activities involving highly sensitive information;
  8. The procedure for notifying and reporting unauthorised disclosures or leaks of confidential information;
  9. The terms for returning or destroying information upon termination of the agreement;
  10. The actions to be taken if the agreement is not followed.

The organisation should ensure that confidentiality and non-disclosure agreements are in compliance with the laws of the jurisdiction where they apply.

A review of confidentiality and nondisclosure agreements should occur periodically and whenever changes impact their requirements.

More information on how this works is available in the ISO 27002:2022 standard document.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Say hello to ISO 27001 success

Get 81% of the work done for you and get certified faster with ISMS.online

Book your demo
img

Changes and Differences from ISO 27002:2013

Control 6.6 in the new ISO 27002:2022 is not a new control, rather, it is a modified version of control 13.2.4 in ISO 27002:2013.

While these two controls contain similar features, they do differ slightly. For example, while the implementation guidance in both versions are similar, they are not identical.

The first part of the implementation guidance in control 13.2.4 in ISO 27002:2013 states that:

“Confidentiality or non-disclosure agreements should address the requirement to protect confidential information using legally enforceable terms. Confidentiality or non-disclosure agreements are applicable to external parties or employees of the organisation. Elements should be selected or added in consideration of the type of the other party and its permissible access or handling of confidential information.”

The same section in control 6.6 of ISO 27002:2022 states that:

“Confidentiality or non-disclosure agreements should address the requirement to protect confidential information using legally enforceable terms. Confidentiality or non-disclosure agreements are applicable to interested parties and personnel of the organisation.

Based on an organisation’s information security requirements, the terms in the agreements should be determined by taking into consideration the type of information that will be handled, its classification level, its use and the permissible access by the other party.”

Both controls, though differing in semantic meaning, have similar structure and function in their respective contexts. However, control 6.6 uses a more simplified and user-friendly language so that the content and context are easier to understand. This means those who will be using the standard can relate to its content more easily.

In addition, the 2022 version of ISO 27002 includes statements of purpose and attributes tables for each control, which help users understand and implement the controls more effectively. These two sections are not available in the 2013 edition.

Who Is in Charge of This Process?

According to control 6.6 of the ISO 27002 standard, the human resources department usually manages the drafting and implementation of the confidentiality or non-disclosure agreement in most organisations, which involves collaborating with the supervising manager or department of the concerned third party.

The supervising manager could be the Information Security Officer, sales or production manager.

These departments and heads are also responsible for ensuring that any third party vendors used by the organisation have adequate security measures in place to protect confidential information from unauthorised disclosure or use.

They should make sure that all employees sign a confidentiality agreement when they start working for the company.

In most cases (depending on how large the organisation is), confidentiality or non-disclosure agreements are signed by all employees who have access to confidential information.

This typically includes any employee who works in sales, marketing, customer service or other departments where they might come into contact with confidential information regarding clients, customers or vendors.

In some cases, even if there isn’t an actual written agreement between two parties, organisations should have policies in place requiring employees to sign a confidentiality agreement before they’re allowed access to sensitive information about clients or vendors.

Some risks associated with not having an adequate confidentiality agreement policy in place include:

  • Employees may inadvertently leak sensitive information to someone outside of the company who shouldn’t have access to it, causing damage to the organisation.
  • An employee may disclose sensitive data to a competitor.
  • A disgruntled employee may steal the company’s intellectual property (IP) and use it for his or her own benefit.
  • Employees could accidentally leave sensitive information on their computer desktop at work or on their laptop at home, which could be stolen by a hacker.

Get a Headstart
on ISO 27002

The only compliance
solution you need
Book your demo

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

What Do These Changes Mean for You?

The ISO 27002:2013 standard has not been significantly altered. The standard was only updated to facilitate usability. Organisations that are currently in compliance with ISO 27002:2013 do not need to take any additional steps to maintain compliance with the standard.

In order to comply with the revisions in ISO 27002:2022, the organisation may find it necessary to make some minor modifications to its existing processes and procedures, particularly if there is a need to re-certify.

To learn more about how these changes to control 6.6 will influence your organisation, please see our guide on ISO 27002:2022.

How ISMS.Online Helps

ISO 27002 is a widely recognised information security standard that provides a set of requirements for an organisation to protect the confidentiality, integrity, and availability of its information. The standard was developed by the International Organization for Standardization (ISO), a non-governmental organisation that sets, reviews and publishes international standards.

ISMS.Online helps organisations and businesses meet the requirements of ISO 27002 by providing them with a platform that makes it easy to manage their confidentiality or non-disclosure policies and procedures, update them as needed, test them and monitor their effectiveness.

We provide a cloud-based platform for the management of Confidentiality and Information Security Management Systems, including non-disclosure clauses, risk management, policies, plans and procedures, in one central location. The platform is easy to use and has an intuitive interface that makes it simple to learn how to use.

ISMS.Online enables you to:

  • Document your processes. This intuitive interface allows you to document your processes without installing any software on your computer or network.
  • Automate your risk assessment process.
  • Demonstrate compliance easily with online reports and checklists.
  • Keep a record of progress while working toward certification.

ISMS.Online offers a full range of features to help organisations and businesses achieve compliance with the industry standard ISO 27001 and/or ISO 27002 ISMS.

Please contact us today to schedule a demo.

Are you ready for
the new ISO 27002

We’ll give you an 81% headstart
from the moment you log in
Book your demo

New Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.7NewThreat intelligence
5.23NewInformation security for use of cloud services
5.30NewICT readiness for business continuity
7.4NewPhysical security monitoring
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.16NewMonitoring activities
8.23NewWeb filtering
8.28NewSecure coding

Organisational Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.105.1.1, 05.1.2Policies for information security
5.206.1.1Information security roles and responsibilities
5.306.1.2Segregation of duties
5.407.2.1Management responsibilities
5.506.1.3Contact with authorities
5.606.1.4Contact with special interest groups
5.7NewThreat intelligence
5.806.1.5, 14.1.1Information security in project management
5.908.1.1, 08.1.2Inventory of information and other associated assets
5.1008.1.3, 08.2.3Acceptable use of information and other associated assets
5.1108.1.4Return of assets
5.12 08.2.1Classification of information
5.1308.2.2Labelling of information
5.1413.2.1, 13.2.2, 13.2.3Information transfer
5.1509.1.1, 09.1.2Access control
5.1609.2.1Identity management
5.17 09.2.4, 09.3.1, 09.4.3Authentication information
5.1809.2.2, 09.2.5, 09.2.6Access rights
5.1915.1.1Information security in supplier relationships
5.2015.1.2Addressing information security within supplier agreements
5.2115.1.3Managing information security in the ICT supply chain
5.2215.2.1, 15.2.2Monitoring, review and change management of supplier services
5.23NewInformation security for use of cloud services
5.2416.1.1Information security incident management planning and preparation
5.2516.1.4Assessment and decision on information security events
5.2616.1.5Response to information security incidents
5.2716.1.6Learning from information security incidents
5.2816.1.7Collection of evidence
5.2917.1.1, 17.1.2, 17.1.3Information security during disruption
5.30NewICT readiness for business continuity
5.3118.1.1, 18.1.5Legal, statutory, regulatory and contractual requirements
5.3218.1.2Intellectual property rights
5.3318.1.3Protection of records
5.3418.1.4Privacy and protection of PII
5.3518.2.1Independent review of information security
5.3618.2.2, 18.2.3Compliance with policies, rules and standards for information security
5.3712.1.1Documented operating procedures

People Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
6.107.1.1Screening
6.207.1.2Terms and conditions of employment
6.307.2.2Information security awareness, education and training
6.407.2.3Disciplinary process
6.507.3.1Responsibilities after termination or change of employment
6.613.2.4Confidentiality or non-disclosure agreements
6.706.2.2Remote working
6.816.1.2, 16.1.3Information security event reporting

Physical Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
7.111.1.1Physical security perimeters
7.211.1.2, 11.1.6Physical entry
7.311.1.3Securing offices, rooms and facilities
7.4NewPhysical security monitoring
7.511.1.4Protecting against physical and environmental threats
7.611.1.5Working in secure areas
7.711.2.9Clear desk and clear screen
7.811.2.1Equipment siting and protection
7.911.2.6Security of assets off-premises
7.1008.3.1, 08.3.2, 08.3.3, 11.2.5Storage media
7.1111.2.2Supporting utilities
7.1211.2.3Cabling security
7.1311.2.4Equipment maintenance
7.1411.2.7Secure disposal or re-use of equipment

Technological Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
8.106.2.1, 11.2.8User endpoint devices
8.209.2.3Privileged access rights
8.309.4.1Information access restriction
8.409.4.5Access to source code
8.509.4.2Secure authentication
8.612.1.3Capacity management
8.712.2.1Protection against malware
8.812.6.1, 18.2.3Management of technical vulnerabilities
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.1312.3.1Information backup
8.1417.2.1Redundancy of information processing facilities
8.1512.4.1, 12.4.2, 12.4.3Logging
8.16NewMonitoring activities
8.1712.4.4Clock synchronization
8.1809.4.4Use of privileged utility programs
8.1912.5.1, 12.6.2Installation of software on operational systems
8.2013.1.1Networks security
8.2113.1.2Security of network services
8.2213.1.3Segregation of networks
8.23NewWeb filtering
8.2410.1.1, 10.1.2Use of cryptography
8.2514.2.1Secure development life cycle
8.2614.1.2, 14.1.3Application security requirements
8.2714.2.5Secure system architecture and engineering principles
8.28NewSecure coding
8.2914.2.8, 14.2.9Security testing in development and acceptance
8.3014.2.7Outsourced development
8.3112.1.4, 14.2.6Separation of development, test and production environments
8.3212.1.2, 14.2.2, 14.2.3, 14.2.4Change management
8.3314.3.1Test information
8.3412.7.1Protection of information systems during audit testing
Since migrating we’ve been able to reduce the time spent on administration.
Jodie Korber
Managing Director Lanrex
100% of our users pass certification first time
Book your demo

Streamline your workflow with our new Jira integration! Learn more here.