Requirement
Requirement lens
This control makes security responsibilities explicit in the employment or contractual relationship before people start work or access information.
“The employment contractual agreements shall state the personnel’s and the organization’s responsibilities for information security.”
Plain-language meaning
People should not have to guess what they are responsible for. Employment contracts, contractor agreements, confidentiality agreements, onboarding acknowledgements, or security responsibility addenda should clearly state what personnel must do to protect information and what the organization is responsible for.
This applies to employees, contractors, and third-party users where they perform work or access information within the ISMS scope.
Why this matters
Security policies are weaker if people never formally accept their responsibilities. Terms and conditions create a clear responsibility baseline before access is granted. They also help the organization enforce requirements, handle non-compliance, protect confidential information, and meet legal and contractual obligations.
This control is not only about confidentiality. Confidentiality is important, but personnel security responsibilities also include acceptable use, classification handling, legal duties, remote work, customer-site behavior, reporting obligations, and consequences of non-compliance.
Implementation guidance
Implementer focus
Make security terms part of the HR, contractor, and third-party onboarding workflow. The control is weak if agreements are signed after access is already active.
1. Define required security responsibilities
Terms should cover the responsibilities relevant to the role and work context.
Typical topics include:
- following the Information Security Policy and topic-specific policies;
- handling information according to classification and labelling rules;
- protecting confidential information;
- using information processing facilities appropriately;
- complying with legal, statutory, regulatory, and contractual obligations;
- reporting security incidents, weaknesses, or suspected misuse;
- protecting organization assets and access credentials;
- following remote working, home working, and customer-site rules;
- consequences of not meeting security responsibilities.
2. Include confidentiality before access
Employees, contractors, and third-party users should sign confidentiality obligations before accessing confidential information.
Confidentiality obligations may apply:
- during normal working hours;
- outside normal working hours;
- during remote work or home work;
- at customer or partner sites;
- after employment or contract termination, where legally permitted.
The post-employment part must be legally valid in the relevant jurisdiction. Do not assume every confidentiality clause is enforceable everywhere.
3. Address the organization’s responsibilities
The terms should also state what the organization is responsible for, especially where it handles personnel personal data.
Examples:
- processing personnel data lawfully;
- applying data protection requirements;
- restricting access to HR and personnel records;
- retaining and disposing of personnel data appropriately;
- explaining monitoring or acceptable-use controls where required by law.
This links directly to A.5.34 Privacy and Protection of PII.
4. Keep agreements current when roles change
A person may start in one role and later move into a role with stronger security obligations. The process should trigger updated terms, acknowledgements, or addenda when responsibilities change.
Examples:
- promotion into management;
- transfer into security, HR, finance, legal, procurement, or privileged IT;
- access to a new system or information classification;
- assignment to a customer site;
- contractor scope expansion.
5. Coordinate HR, legal, procurement, and security
This control usually fails when everyone assumes someone else owns it.
- HR owns employee terms and acknowledgements.
- Procurement or vendor management owns contractor and third-party terms.
- Legal owns enforceability and contract wording.
- Security defines the responsibility content and evidence needs.
- Line managers confirm role-specific responsibilities.
Audit guidance
Auditor focus
Test signed agreements, timing, coverage, and whether the content actually describes information security responsibilities.
Auditors should verify that employment or contractual agreements state both personnel and organization responsibilities for information security.
Audit testing should include:
- sampled employee contracts or security addenda;
- sampled contractor and third-party user agreements;
- confidentiality agreements signed before confidential information access;
- onboarding records showing terms accepted before work started;
- role-change records showing updated responsibilities where needed;
- procedures for maintaining employment terms;
- evidence that legal, classification, remote-work, customer-site, and post-employment obligations are covered;
- evidence that the organization’s personal-data responsibilities are stated.
The auditor should challenge generic HR contracts that mention confidentiality once but do not explain actual security responsibilities.
Evidence examples
Evidence quality
Strong evidence shows signed acceptance before access, role relevance, coverage for non-employees, and updates when responsibilities change.
| Evidence | What it proves |
|---|---|
| Employment contract security clauses | Employee responsibilities are formally stated |
| Contractor agreement security schedule | Non-employee responsibilities are formally stated |
| Confidentiality agreement register | Confidentiality obligations were signed before access |
| Onboarding acknowledgement records | Personnel accepted security responsibilities before work |
| Security responsibility addendum | Role-specific duties are documented |
| Role-change checklist | Updated responsibilities are triggered when duties change |
| Data protection notice for personnel | Organization responsibilities for personnel data are stated |
| Disciplinary or non-compliance procedure | Consequences of non-compliance are defined |
| Remote work or customer-site terms | Responsibilities apply beyond the normal office setting |
Strong evidence
- Signed terms are completed before work starts or before access to confidential information.
- Agreements cover employees, contractors, and third-party users in ISMS scope.
- Terms include security, legal, classification, acceptable-use, incident reporting, and confidentiality responsibilities.
- Responsibilities apply to remote work, customer sites, and outside normal working hours where relevant.
- Post-employment confidentiality obligations are defined where legally permitted.
- Role changes trigger updated acknowledgements or contractual addenda.
- The organization’s responsibilities for personnel personal data are documented.
Weak evidence
- Generic employment contract with only a vague confidentiality sentence.
- Agreements are signed after access is granted.
- Contractors or third-party users receive system access without security terms.
- No evidence personnel accepted responsibilities.
- No process to update terms when role responsibilities change.
- No statement of the organization’s responsibilities for personnel personal data.
- Security responsibilities are only in a policy that personnel never acknowledge.
Common failures
Implementation watchouts
The common failure is assuming a standard HR contract is enough without checking whether it actually covers information security responsibilities.
| Failure | Why it matters |
|---|---|
| Security terms signed late | Access is granted before responsibility is accepted |
| Contractor terms omitted | Non-employees can handle information without clear obligations |
| Confidentiality treated as the whole control | Other security and legal responsibilities are missed |
| No role-change update process | Responsibilities become stale after transfers or promotions |
| No organization privacy statement | Personnel data handling obligations are unclear |
| Terms do not cover remote or customer-site work | Real work contexts fall outside the agreement |
| No consequence wording | Enforcement becomes harder when obligations are breached |
Exam traps
Exam focus
Do not reduce this control to NDAs. NDAs help, but A.6.2 is broader: it covers personnel and organization responsibilities for information security.
| Trap | Correct interpretation |
|---|---|
| A confidentiality agreement alone satisfies A.6.2 | It may be part of evidence, but terms should cover broader security responsibilities |
| Only employees need these terms | Contractors and third-party users in scope also need appropriate terms |
| Terms can be accepted after onboarding | Acceptance should occur before work starts or before confidential access |
| Security responsibilities never need updating | Role, access, facility, or work-context changes can require updated terms |
| The control only defines personnel duties | The organization’s responsibilities, including personnel data handling, also matter |
| Remote work is a separate issue only | Terms may need to cover home, remote, customer-site, and outside-hours work |
Related controls and concepts
- A.6 People Controls MOC
- A.6.1 Screening
- Information Security Policy
- Roles and Responsibilities
- A.5.31 Legal, Statutory, Regulatory and Contractual Requirements
- A.5.34 Privacy and Protection of PII
- A.5.10 Acceptable Use of Information and Other Associated Assets
- Internal Audit
- Security Responsibilities Addendum
- Security Terms and Conditions Checklist
- Confidentiality Agreement Register
- Personnel Security Responsibility Acknowledgement
- A.6.2 Audit Evidence Pack
- A.6.2 Audit Checklist
KB-ready summary
- Employment and contractual agreements should state personnel and organization information security responsibilities.
- Security responsibilities should be accepted before work starts or before confidential access.
- The control applies to employees, contractors, and third-party users in scope.
- Confidentiality agreements are useful but are not the whole control.
- Terms should cover legal duties, classified information, acceptable use, remote work, customer sites, non-compliance, and post-employment obligations where valid.
- The organization’s responsibilities for personnel personal data should be stated.
- Terms should be updated when role or security responsibilities change.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- People controls
- Personnel security
- Employment terms
- Confidentiality
- Audit
Note Metadata
Aliases: A.6.2, Terms and Conditions of Employment
Source: 03 Annex A People Controls/A.6.2 Terms and Conditions of Employment.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
11
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Internal Audit
- Roles and Responsibilities
- ISO 27001 A.5.1 - Policies for Information Security
- ISO 27001 A.5.10 - Acceptable Use of Information and Other Associated Assets
- ISO 27001 A.5.31 - Legal, Statutory, Regulatory and Contractual Requirements
- ISO 27001 A.5.34 - Privacy and Protection of PII
- ISO 27001 A.6.1 - Screening
- ISO 27001 A.6.3 - Information Security Awareness, Education and Training
- ISO 27001 A.6.4 - Disciplinary Process
- ISO 27001 A.6.5 - Responsibilities After Termination or Change of Employment
- ISO 27001 A.6.6 - Confidentiality or Non-Disclosure Agreements
- A.6 People Controls MOC
- A.6.2 Audit Evidence Pack
- AQ-ISO27001-A.6.2 Terms and Conditions of Employment
- A.6 People Controls Implementation Guide
- A.6 People Controls Audit Guide
- ISO27001-A.6.2 Terms and Conditions of Employment
- A.6 People Controls Implementation Audit Risk Mapping
- EXAM-016 - People Controls: Screening and Employment Terms
- ISO 27002 Annex A Control Interpretation Map
- A.6.2 Audit Checklist
- Confidentiality Agreement Register
- Personnel Security Responsibility Acknowledgement
- Role-Based Security Training Matrix
- Template - Security Responsibilities Addendum
- Security Terms and Conditions Checklist
- Annex A Controls MOC