UnixTime

Research Note

ISO 27001 A.6.2 - Terms and Conditions of Employment

People should not have to guess what they are responsible for. Employment contracts, contractor agreements, confidentiality agreements, onboarding acknowledgements, or security...

On this page

Requirement

Requirement lens

This control makes security responsibilities explicit in the employment or contractual relationship before people start work or access information.

“The employment contractual agreements shall state the personnel’s and the organization’s responsibilities for information security.”

Plain-language meaning

People should not have to guess what they are responsible for. Employment contracts, contractor agreements, confidentiality agreements, onboarding acknowledgements, or security responsibility addenda should clearly state what personnel must do to protect information and what the organization is responsible for.

This applies to employees, contractors, and third-party users where they perform work or access information within the ISMS scope.

Why this matters

Security policies are weaker if people never formally accept their responsibilities. Terms and conditions create a clear responsibility baseline before access is granted. They also help the organization enforce requirements, handle non-compliance, protect confidential information, and meet legal and contractual obligations.

This control is not only about confidentiality. Confidentiality is important, but personnel security responsibilities also include acceptable use, classification handling, legal duties, remote work, customer-site behavior, reporting obligations, and consequences of non-compliance.

Implementation guidance

Implementer focus

Make security terms part of the HR, contractor, and third-party onboarding workflow. The control is weak if agreements are signed after access is already active.

1. Define required security responsibilities

Terms should cover the responsibilities relevant to the role and work context.

Typical topics include:

  • following the Information Security Policy and topic-specific policies;
  • handling information according to classification and labelling rules;
  • protecting confidential information;
  • using information processing facilities appropriately;
  • complying with legal, statutory, regulatory, and contractual obligations;
  • reporting security incidents, weaknesses, or suspected misuse;
  • protecting organization assets and access credentials;
  • following remote working, home working, and customer-site rules;
  • consequences of not meeting security responsibilities.

2. Include confidentiality before access

Employees, contractors, and third-party users should sign confidentiality obligations before accessing confidential information.

Confidentiality obligations may apply:

  • during normal working hours;
  • outside normal working hours;
  • during remote work or home work;
  • at customer or partner sites;
  • after employment or contract termination, where legally permitted.

The post-employment part must be legally valid in the relevant jurisdiction. Do not assume every confidentiality clause is enforceable everywhere.

3. Address the organization’s responsibilities

The terms should also state what the organization is responsible for, especially where it handles personnel personal data.

Examples:

  • processing personnel data lawfully;
  • applying data protection requirements;
  • restricting access to HR and personnel records;
  • retaining and disposing of personnel data appropriately;
  • explaining monitoring or acceptable-use controls where required by law.

This links directly to A.5.34 Privacy and Protection of PII.

4. Keep agreements current when roles change

A person may start in one role and later move into a role with stronger security obligations. The process should trigger updated terms, acknowledgements, or addenda when responsibilities change.

Examples:

  • promotion into management;
  • transfer into security, HR, finance, legal, procurement, or privileged IT;
  • access to a new system or information classification;
  • assignment to a customer site;
  • contractor scope expansion.

This control usually fails when everyone assumes someone else owns it.

  • HR owns employee terms and acknowledgements.
  • Procurement or vendor management owns contractor and third-party terms.
  • Legal owns enforceability and contract wording.
  • Security defines the responsibility content and evidence needs.
  • Line managers confirm role-specific responsibilities.

Audit guidance

Auditor focus

Test signed agreements, timing, coverage, and whether the content actually describes information security responsibilities.

Auditors should verify that employment or contractual agreements state both personnel and organization responsibilities for information security.

Audit testing should include:

  • sampled employee contracts or security addenda;
  • sampled contractor and third-party user agreements;
  • confidentiality agreements signed before confidential information access;
  • onboarding records showing terms accepted before work started;
  • role-change records showing updated responsibilities where needed;
  • procedures for maintaining employment terms;
  • evidence that legal, classification, remote-work, customer-site, and post-employment obligations are covered;
  • evidence that the organization’s personal-data responsibilities are stated.

The auditor should challenge generic HR contracts that mention confidentiality once but do not explain actual security responsibilities.

Evidence examples

Evidence quality

Strong evidence shows signed acceptance before access, role relevance, coverage for non-employees, and updates when responsibilities change.

Evidence What it proves
Employment contract security clauses Employee responsibilities are formally stated
Contractor agreement security schedule Non-employee responsibilities are formally stated
Confidentiality agreement register Confidentiality obligations were signed before access
Onboarding acknowledgement records Personnel accepted security responsibilities before work
Security responsibility addendum Role-specific duties are documented
Role-change checklist Updated responsibilities are triggered when duties change
Data protection notice for personnel Organization responsibilities for personnel data are stated
Disciplinary or non-compliance procedure Consequences of non-compliance are defined
Remote work or customer-site terms Responsibilities apply beyond the normal office setting

Strong evidence

  • Signed terms are completed before work starts or before access to confidential information.
  • Agreements cover employees, contractors, and third-party users in ISMS scope.
  • Terms include security, legal, classification, acceptable-use, incident reporting, and confidentiality responsibilities.
  • Responsibilities apply to remote work, customer sites, and outside normal working hours where relevant.
  • Post-employment confidentiality obligations are defined where legally permitted.
  • Role changes trigger updated acknowledgements or contractual addenda.
  • The organization’s responsibilities for personnel personal data are documented.

Weak evidence

  • Generic employment contract with only a vague confidentiality sentence.
  • Agreements are signed after access is granted.
  • Contractors or third-party users receive system access without security terms.
  • No evidence personnel accepted responsibilities.
  • No process to update terms when role responsibilities change.
  • No statement of the organization’s responsibilities for personnel personal data.
  • Security responsibilities are only in a policy that personnel never acknowledge.

Common failures

Implementation watchouts

The common failure is assuming a standard HR contract is enough without checking whether it actually covers information security responsibilities.

Failure Why it matters
Security terms signed late Access is granted before responsibility is accepted
Contractor terms omitted Non-employees can handle information without clear obligations
Confidentiality treated as the whole control Other security and legal responsibilities are missed
No role-change update process Responsibilities become stale after transfers or promotions
No organization privacy statement Personnel data handling obligations are unclear
Terms do not cover remote or customer-site work Real work contexts fall outside the agreement
No consequence wording Enforcement becomes harder when obligations are breached

Exam traps

Exam focus

Do not reduce this control to NDAs. NDAs help, but A.6.2 is broader: it covers personnel and organization responsibilities for information security.

Trap Correct interpretation
A confidentiality agreement alone satisfies A.6.2 It may be part of evidence, but terms should cover broader security responsibilities
Only employees need these terms Contractors and third-party users in scope also need appropriate terms
Terms can be accepted after onboarding Acceptance should occur before work starts or before confidential access
Security responsibilities never need updating Role, access, facility, or work-context changes can require updated terms
The control only defines personnel duties The organization’s responsibilities, including personnel data handling, also matter
Remote work is a separate issue only Terms may need to cover home, remote, customer-site, and outside-hours work

KB-ready summary

  • Employment and contractual agreements should state personnel and organization information security responsibilities.
  • Security responsibilities should be accepted before work starts or before confidential access.
  • The control applies to employees, contractors, and third-party users in scope.
  • Confidentiality agreements are useful but are not the whole control.
  • Terms should cover legal duties, classified information, acceptable use, remote work, customer sites, non-compliance, and post-employment obligations where valid.
  • The organization’s responsibilities for personnel personal data should be stated.
  • Terms should be updated when role or security responsibilities change.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • People controls
  • Personnel security
  • Employment terms
  • Confidentiality
  • Audit

Note Metadata

Aliases: A.6.2, Terms and Conditions of Employment

Source: 03 Annex A People Controls/A.6.2 Terms and Conditions of Employment.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

11

links

01
02
03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.