Requirement
Requirement lens
This control requires confidentiality/NDA needs to be identified, documented, reviewed, and signed before access to confidential information.
“Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.”
Plain-language meaning
The organization should know when confidentiality or non-disclosure agreements are needed, use terms that match its information-protection needs, keep those agreements legally usable, review them regularly, and make sure the right parties sign them before receiving confidential information.
This includes employees, contractors, third-party users, partner organizations, suppliers, and others who may access or receive confidential information.
Why this matters
Confidential information is often exposed through people and relationships, not only systems. NDAs and confidentiality clauses help set legal and behavioral expectations before information is shared.
But an NDA is not magic. It must be appropriate to the information, legally enforceable, signed by the right parties, reviewed when needs change, and supported by handling controls such as classification, access control, secure transfer, and supplier requirements.
Implementation guidance
Implementer focus
Start with information flows and confidentiality requirements, then decide which agreement type is needed. Do not use one generic NDA for every situation without review.
1. Identify confidentiality requirements
Sources include:
- legal, regulatory, and contractual requirements;
- privacy and PII obligations;
- information exchanged with customers, suppliers, partners, and regulators;
- asset valuation and classification results;
- trade secrets, designs, source code, financial data, personnel records, and customer information;
- unplanned exposure scenarios, such as cleaning staff, visitors, shared offices, or support providers.
Confidentiality requirements should align with A.5.12 Classification of Information, A.5.13 Labelling of Information, and A.5.14 Information Transfer.
2. Define agreement types
The organization may need different agreement types.
| Agreement type | Typical use |
|---|---|
| Employment confidentiality clause | Employee access to organization information |
| Contractor NDA | Individual contractor access to confidential information |
| Mutual NDA | Bid, partnership, acquisition, or joint project discussions |
| Supplier confidentiality clause | Supplier handling of organization or customer information |
| Visitor or short-term access NDA | Temporary exposure to confidential areas or information |
| Customer-specific confidentiality terms | Customer contracts or regulated client work |
3. Sign before access
Appropriate confidentiality agreements should be signed and dated before access to confidential information is granted or before information is exchanged.
This should be built into onboarding, supplier onboarding, project initiation, due diligence, visitor access, and third-party access workflows.
4. Review legal enforceability
Confidentiality terms should be legally enforceable in the relevant context and jurisdiction. Legal or specialist review may be needed, especially for cross-border, employment, supplier, customer, or regulated data scenarios.
The organization should check that agreement terms do not conflict with applicable law, regulation, or existing contractual commitments.
5. Review and update agreements
Confidentiality needs change when:
- new information types are created or shared;
- classification or asset valuation changes;
- legal, regulatory, or contractual requirements change;
- suppliers, partners, or processing locations change;
- new unplanned access scenarios appear;
- incident or audit findings show a gap.
The register should show which agreements exist, who signed them, what they cover, and when review is due.
Audit guidance
Auditor focus
Test whether NDA requirements were identified from real business/legal/security needs and whether agreements were signed before access.
Auditors should verify that confidentiality or non-disclosure agreements exist where needed, match business/legal/security requirements, are legally reviewed where appropriate, and are regularly reviewed.
Audit testing should include:
- confidentiality requirement analysis;
- NDA/confidentiality agreement templates;
- agreement register;
- samples of employees, contractors, suppliers, partners, and visitors where relevant;
- evidence agreements were signed before access or exchange;
- legal review or approval evidence;
- review/update procedure;
- mapping to risk assessment, asset classification, legal requirements, and supplier/customer arrangements;
- exceptions where access occurred without agreement.
The auditor should not accept “we have an NDA template” as sufficient. The test is whether the right agreement was identified, signed, current, and appropriate to the information being protected.
Evidence examples
Evidence quality
Strong evidence ties the agreement to confidentiality need, signer, date, access timing, legal review, and review cycle.
| Evidence | What it proves |
|---|---|
| Confidentiality agreement register | Agreements are tracked |
| NDA templates and clauses | Agreement content is documented |
| Signed and dated agreements | Parties accepted confidentiality obligations |
| Legal review record | Terms were checked for enforceability |
| Classification or asset valuation mapping | Need for agreement is risk/information-based |
| Supplier/customer agreement clauses | External exchange is covered |
| Access approval record | Agreement was signed before access |
| Review schedule | Agreements are regularly reviewed |
| Exception record | Gaps are known and risk-treated |
Strong evidence
- NDA/confidentiality needs are identified from legal, contractual, risk, classification, asset, and information-exchange requirements.
- Agreements are signed and dated before access to confidential information.
- Agreement types are appropriate for employees, contractors, suppliers, partners, visitors, and other relevant parties.
- Legal review confirms enforceability and no conflict with applicable law.
- Agreements are reviewed when requirements or business relationships change.
- Register links agreements to covered information, parties, dates, review status, and evidence locations.
Weak evidence
- One generic NDA used for all cases without review.
- Agreement signed after confidential information was shared.
- No register of who has signed what.
- Supplier or partner information exchange happens without confidentiality terms.
- Legal enforceability was never reviewed.
- Agreements do not reflect current legal, contractual, or information classification needs.
- Unplanned access groups are ignored.
Common failures
Implementation watchouts
The common failure is treating an NDA as paperwork instead of a control tied to actual confidential information flows.
| Failure | Why it matters |
|---|---|
| No requirements analysis | Agreements may miss key information or parties |
| Late signing | Confidentiality is agreed after exposure already happened |
| No review cycle | Agreements become stale or unenforceable |
| No legal review | Terms may fail in a dispute |
| No register | The organization cannot prove who is bound |
| Unplanned access ignored | Cleaners, visitors, support staff, or shared spaces can expose information |
| NDA treated as the only control | Confidentiality still needs classification, access, handling, and transfer controls |
Exam traps
Exam focus
A.6.6 is not simply “make everyone sign an NDA.” The organization must identify, document, review, and sign agreements that reflect its actual need to protect information.
| Trap | Correct interpretation |
|---|---|
| One standard NDA is always enough | Agreement content should reflect business, legal, contractual, and information security needs |
| NDA can be signed after access | It should be signed before access to confidential information |
| Only employees need confidentiality agreements | Personnel and other relevant interested parties can be in scope |
| NDA replaces access control | NDA supports confidentiality but does not replace technical and procedural controls |
| Legal review is unnecessary | Enforceability and legal conflicts may require specialist review |
| Review is only needed after an incident | Agreements should be regularly reviewed and updated when requirements change |
Related controls and concepts
- A.6 People Controls MOC
- A.6.2 Terms and Conditions of Employment
- A.6.5 Responsibilities After Termination or Change of Employment
- A.5.12 Classification of Information
- A.5.13 Labelling of Information
- A.5.14 Information Transfer
- A.5.20 Addressing Information Security Within Supplier Agreements
- A.5.31 Legal, Statutory, Regulatory and Contractual Requirements
- A.5.34 Privacy and Protection of PII
- Confidentiality Agreement Register
- Confidentiality Agreement Review Checklist
- A.6.6 Audit Evidence Pack
- A.6.6 Audit Checklist
KB-ready summary
- A.6.6 requires confidentiality/NDA needs to be identified, documented, reviewed, and signed.
- Agreements should reflect actual business, legal, contractual, risk, and information-protection needs.
- Agreements should be signed before access to confidential information or information exchange.
- Different parties and information flows may need different agreement types.
- Legal enforceability should be checked where appropriate.
- Agreements should be reviewed when information, relationships, laws, contracts, or risks change.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- People controls
- Confidentiality
- Non disclosure
- Audit
Note Metadata
Aliases: A.6.6, Confidentiality or Non-Disclosure Agreements, NDA
Source: 03 Annex A People Controls/A.6.6 Confidentiality or Non-Disclosure Agreements.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
9
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.12 - Classification of Information
- ISO 27001 A.5.13 - Labelling of Information
- ISO 27001 A.5.14 - Information Transfer
- ISO 27001 A.5.20 - Addressing Information Security Within Supplier Agreements
- ISO 27001 A.5.31 - Legal, Statutory, Regulatory and Contractual Requirements
- ISO 27001 A.5.34 - Privacy and Protection of PII
- ISO 27001 A.6.2 - Terms and Conditions of Employment
- ISO 27001 A.6.5 - Responsibilities After Termination or Change of Employment
- A.6 People Controls MOC
- A.6.6 Audit Evidence Pack
- AQ-ISO27001-A.6.6 Confidentiality or Non-Disclosure Agreements
- A.6 People Controls Implementation Guide
- A.6 People Controls Audit Guide
- ISO27001-A.6.6 Confidentiality or Non-Disclosure Agreements
- A.6 People Controls Implementation Audit Risk Mapping
- EXAM-018 - Disciplinary, Termination, and Confidentiality
- ISO 27002 Annex A Control Interpretation Map
- A.6.6 Audit Checklist
- Confidentiality Agreement Register
- Confidentiality Agreement Review Checklist
- Post-Employment Security Responsibilities Register
- Annex A Controls MOC