What the auditor wants to verify
Audit objective
Verify that confidentiality/NDA needs are identified, documented, reviewed, and signed before access to confidential information.
The auditor wants evidence that agreements reflect actual confidentiality requirements and are legally usable where needed.
Evidence to request
| Evidence | Purpose |
|---|---|
| Confidentiality requirement analysis | Shows when agreements are needed |
| Confidentiality agreement register | Shows who signed what |
| NDA or confidentiality templates | Shows documented agreement content |
| Signed and dated agreements | Shows parties accepted obligations |
| Access approval records | Shows signing happened before access |
| Legal review records | Shows enforceability was considered |
| Review schedule | Shows agreements are periodically reviewed |
| Supplier/customer confidentiality clauses | Shows external exchange is covered |
| Exception records | Shows gaps are known and treated |
Strong evidence
Strong evidence test
Strong evidence connects agreement need, signed party, date, access timing, information type, legal review, and review status.
- Agreement needs are based on legal, contractual, risk, asset, classification, and information-exchange requirements.
- Agreements are signed and dated before access or exchange.
- Different agreement types cover employees, contractors, suppliers, partners, visitors, or other parties as needed.
- Legal review confirms enforceability where appropriate.
- Agreements are reviewed when requirements or relationships change.
- Register tracks parties, agreement type, covered information, date, evidence location, and review date.
Weak evidence
Weak evidence warning
Weak evidence shows a template exists but not that it is used correctly.
- One generic NDA with no requirements analysis.
- Agreement signed after information was shared.
- No register of signed agreements.
- No legal review.
- Suppliers or partners exchange information without confidentiality terms.
- Agreement content is stale or mismatched to current information flows.
Sample interview questions
Ask legal or compliance
- How are confidentiality agreement requirements identified?
- How is enforceability reviewed?
- How often are templates and clauses reviewed?
Ask HR, procurement, or business owners
- How do you confirm an NDA is signed before access?
- Which parties require confidentiality agreements?
- How are supplier or partner agreements tracked?
Ask information owners
- Which information types require confidentiality terms before sharing?
- How do classification or asset valuation results affect NDA requirements?
Common nonconformities
- No documented process to identify NDA requirements.
- Agreements signed after access.
- No register of signed agreements.
- No regular review.
- No legal enforceability review where needed.
- External parties receive confidential information without appropriate terms.
- NDAs not aligned to classification, legal, contractual, or risk requirements.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A6 6
Note Metadata
Aliases: A.6.6 Evidence
Source: 04 Audit Evidence Packs/A.6.6 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.31 - Legal, Statutory, Regulatory and Contractual Requirements
- ISO 27001 A.6.6 - Confidentiality or Non-Disclosure Agreements
- Audit Evidence MOC
- AQ-ISO27001-A.6.6 Confidentiality or Non-Disclosure Agreements
- A.6 People Controls Audit Guide
- ISO27001-A.6.6 Confidentiality or Non-Disclosure Agreements
- A.6.6 Audit Checklist
- Confidentiality Agreement Register
- Confidentiality Agreement Review Checklist
- Audit Evidence Index