What the auditor wants to verify
Audit objective
Verify that employment and contractual agreements state information security responsibilities for personnel and the organization before work or access begins.
The auditor wants evidence that security responsibilities are defined, accepted, role-appropriate, current, and applicable to employees, contractors, and third-party users in scope.
Evidence to request
| Evidence | Purpose |
|---|---|
| Employment contract security clauses | Shows employee security responsibilities are formally stated |
| Contractor or third-party agreement clauses | Shows non-employee responsibilities are formally stated |
| Confidentiality agreements | Shows confidentiality obligations were accepted before access |
| Security responsibility addendum | Shows role-specific duties are documented |
| Onboarding acknowledgement records | Shows personnel accepted terms before starting work |
| Role-change checklist | Shows terms are updated when responsibilities change |
| Personnel data protection notice | Shows the organization’s data handling responsibilities are stated |
| Disciplinary or non-compliance procedure | Shows consequences are defined |
| Remote work or customer-site terms | Shows duties apply outside normal work location where relevant |
Strong evidence
Strong evidence test
Strong evidence proves timing, scope, signature or acknowledgement, role relevance, and update control.
- Agreements are signed before work starts or before confidential access.
- Agreements cover employees, contractors, and third-party users in ISMS scope.
- Terms include confidentiality, acceptable use, classification handling, legal duties, incident reporting, and non-compliance consequences.
- Remote work, customer-site work, and outside-hours responsibilities are covered where relevant.
- Post-employment obligations are stated where legally permitted.
- Role changes trigger updated responsibility acknowledgement.
- Organization responsibilities for personnel personal data are clearly stated.
Weak evidence
Weak evidence warning
Weak evidence usually proves that a contract exists, not that security responsibilities were properly agreed.
- Generic contract with only vague confidentiality language.
- Terms signed after work or access begins.
- Contractor access without signed security terms.
- No process to update terms after role or access changes.
- No evidence that personnel acknowledged the security policy.
- No statement of organization responsibilities for personnel data.
Sample interview questions
Ask HR or legal
- Which security responsibilities are included in employment terms?
- Are confidentiality agreements signed before access to confidential information?
- How do terms address remote work, customer sites, and post-employment obligations?
- How are terms updated when roles change?
- How are personnel personal data responsibilities communicated?
Ask procurement or vendor management
- How are contractor and third-party user security responsibilities documented?
- Are non-employees required to sign confidentiality obligations before access?
Ask personnel or managers
- What security responsibilities did you accept during onboarding?
- What happens if security responsibilities are not followed?
- Were your responsibilities updated when your role changed?
Common nonconformities
- Security responsibilities not stated in employment or contractual agreements.
- Confidentiality agreement missing or signed late.
- Contractors and third-party users omitted.
- Terms do not cover legal, classification, remote-work, or customer-site responsibilities.
- No process to update terms when responsibilities change.
- Organization responsibilities for personnel data not stated.
- Consequences of non-compliance unclear.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A6 2
Note Metadata
Aliases: A.6.2 Evidence
Source: 04 Audit Evidence Packs/A.6.2 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.34 - Privacy and Protection of PII
- ISO 27001 A.6.2 - Terms and Conditions of Employment
- Audit Evidence MOC
- AQ-ISO27001-A.6.2 Terms and Conditions of Employment
- A.6 People Controls Audit Guide
- A.6.2 Audit Checklist
- Confidentiality Agreement Register
- Personnel Security Responsibility Acknowledgement
- Security Terms and Conditions Checklist
- Audit Evidence Index