UnixTime

Research Note

ISO 27001 A.6.6 - Confidentiality or Non-Disclosure Agreements

The organization should know when confidentiality or non-disclosure agreements are needed, use terms that match its information-protection needs, keep those agreements legally u...

On this page

Requirement

Requirement lens

This control requires confidentiality/NDA needs to be identified, documented, reviewed, and signed before access to confidential information.

“Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.”

Plain-language meaning

The organization should know when confidentiality or non-disclosure agreements are needed, use terms that match its information-protection needs, keep those agreements legally usable, review them regularly, and make sure the right parties sign them before receiving confidential information.

This includes employees, contractors, third-party users, partner organizations, suppliers, and others who may access or receive confidential information.

Why this matters

Confidential information is often exposed through people and relationships, not only systems. NDAs and confidentiality clauses help set legal and behavioral expectations before information is shared.

But an NDA is not magic. It must be appropriate to the information, legally enforceable, signed by the right parties, reviewed when needs change, and supported by handling controls such as classification, access control, secure transfer, and supplier requirements.

Implementation guidance

Implementer focus

Start with information flows and confidentiality requirements, then decide which agreement type is needed. Do not use one generic NDA for every situation without review.

1. Identify confidentiality requirements

Sources include:

  • legal, regulatory, and contractual requirements;
  • privacy and PII obligations;
  • information exchanged with customers, suppliers, partners, and regulators;
  • asset valuation and classification results;
  • trade secrets, designs, source code, financial data, personnel records, and customer information;
  • unplanned exposure scenarios, such as cleaning staff, visitors, shared offices, or support providers.

Confidentiality requirements should align with A.5.12 Classification of Information, A.5.13 Labelling of Information, and A.5.14 Information Transfer.

2. Define agreement types

The organization may need different agreement types.

Agreement type Typical use
Employment confidentiality clause Employee access to organization information
Contractor NDA Individual contractor access to confidential information
Mutual NDA Bid, partnership, acquisition, or joint project discussions
Supplier confidentiality clause Supplier handling of organization or customer information
Visitor or short-term access NDA Temporary exposure to confidential areas or information
Customer-specific confidentiality terms Customer contracts or regulated client work

3. Sign before access

Appropriate confidentiality agreements should be signed and dated before access to confidential information is granted or before information is exchanged.

This should be built into onboarding, supplier onboarding, project initiation, due diligence, visitor access, and third-party access workflows.

Confidentiality terms should be legally enforceable in the relevant context and jurisdiction. Legal or specialist review may be needed, especially for cross-border, employment, supplier, customer, or regulated data scenarios.

The organization should check that agreement terms do not conflict with applicable law, regulation, or existing contractual commitments.

5. Review and update agreements

Confidentiality needs change when:

  • new information types are created or shared;
  • classification or asset valuation changes;
  • legal, regulatory, or contractual requirements change;
  • suppliers, partners, or processing locations change;
  • new unplanned access scenarios appear;
  • incident or audit findings show a gap.

The register should show which agreements exist, who signed them, what they cover, and when review is due.

Audit guidance

Auditor focus

Test whether NDA requirements were identified from real business/legal/security needs and whether agreements were signed before access.

Auditors should verify that confidentiality or non-disclosure agreements exist where needed, match business/legal/security requirements, are legally reviewed where appropriate, and are regularly reviewed.

Audit testing should include:

  • confidentiality requirement analysis;
  • NDA/confidentiality agreement templates;
  • agreement register;
  • samples of employees, contractors, suppliers, partners, and visitors where relevant;
  • evidence agreements were signed before access or exchange;
  • legal review or approval evidence;
  • review/update procedure;
  • mapping to risk assessment, asset classification, legal requirements, and supplier/customer arrangements;
  • exceptions where access occurred without agreement.

The auditor should not accept “we have an NDA template” as sufficient. The test is whether the right agreement was identified, signed, current, and appropriate to the information being protected.

Evidence examples

Evidence quality

Strong evidence ties the agreement to confidentiality need, signer, date, access timing, legal review, and review cycle.

Evidence What it proves
Confidentiality agreement register Agreements are tracked
NDA templates and clauses Agreement content is documented
Signed and dated agreements Parties accepted confidentiality obligations
Legal review record Terms were checked for enforceability
Classification or asset valuation mapping Need for agreement is risk/information-based
Supplier/customer agreement clauses External exchange is covered
Access approval record Agreement was signed before access
Review schedule Agreements are regularly reviewed
Exception record Gaps are known and risk-treated

Strong evidence

  • NDA/confidentiality needs are identified from legal, contractual, risk, classification, asset, and information-exchange requirements.
  • Agreements are signed and dated before access to confidential information.
  • Agreement types are appropriate for employees, contractors, suppliers, partners, visitors, and other relevant parties.
  • Legal review confirms enforceability and no conflict with applicable law.
  • Agreements are reviewed when requirements or business relationships change.
  • Register links agreements to covered information, parties, dates, review status, and evidence locations.

Weak evidence

  • One generic NDA used for all cases without review.
  • Agreement signed after confidential information was shared.
  • No register of who has signed what.
  • Supplier or partner information exchange happens without confidentiality terms.
  • Legal enforceability was never reviewed.
  • Agreements do not reflect current legal, contractual, or information classification needs.
  • Unplanned access groups are ignored.

Common failures

Implementation watchouts

The common failure is treating an NDA as paperwork instead of a control tied to actual confidential information flows.

Failure Why it matters
No requirements analysis Agreements may miss key information or parties
Late signing Confidentiality is agreed after exposure already happened
No review cycle Agreements become stale or unenforceable
No legal review Terms may fail in a dispute
No register The organization cannot prove who is bound
Unplanned access ignored Cleaners, visitors, support staff, or shared spaces can expose information
NDA treated as the only control Confidentiality still needs classification, access, handling, and transfer controls

Exam traps

Exam focus

A.6.6 is not simply “make everyone sign an NDA.” The organization must identify, document, review, and sign agreements that reflect its actual need to protect information.

Trap Correct interpretation
One standard NDA is always enough Agreement content should reflect business, legal, contractual, and information security needs
NDA can be signed after access It should be signed before access to confidential information
Only employees need confidentiality agreements Personnel and other relevant interested parties can be in scope
NDA replaces access control NDA supports confidentiality but does not replace technical and procedural controls
Legal review is unnecessary Enforceability and legal conflicts may require specialist review
Review is only needed after an incident Agreements should be regularly reviewed and updated when requirements change

KB-ready summary

  • A.6.6 requires confidentiality/NDA needs to be identified, documented, reviewed, and signed.
  • Agreements should reflect actual business, legal, contractual, risk, and information-protection needs.
  • Agreements should be signed before access to confidential information or information exchange.
  • Different parties and information flows may need different agreement types.
  • Legal enforceability should be checked where appropriate.
  • Agreements should be reviewed when information, relationships, laws, contracts, or risks change.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • People controls
  • Confidentiality
  • Non disclosure
  • Audit

Note Metadata

Aliases: A.6.6, Confidentiality or Non-Disclosure Agreements, NDA

Source: 03 Annex A People Controls/A.6.6 Confidentiality or Non-Disclosure Agreements.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

9

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.