UnixTime

Research Note

ISO27001-A.6.2 Terms and Conditions of Employment

People should not have to guess what they are responsible for. Employment contracts, contractor agreements, confidentiality agreements, onboarding acknowledgements, or security responsibility addenda should clearly state what personnel must do to protect information and what the organization is responsible for.

On this page

Control Purpose

People should not have to guess what they are responsible for. Employment contracts, contractor agreements, confidentiality agreements, onboarding acknowledgements, or security responsibility addenda should clearly state what personnel must do to protect information and what the organization is responsible for.

Use A.6.2 Terms and Conditions of Employment for the detailed requirement, implementation guidance, audit checks, evidence expectations, and related ISO 27005 context.

Risk Logic

01 Asset What must be protected: data, service, process, person, or facility.
02 Threat Event, actor, or condition that can cause harm.
03 Vulnerability Weakness that makes the threat relevant.
04 Risk Scenario with likelihood, impact, owner, and priority.
05 Treatment Avoid, mitigate, transfer, or accept the risk.
06 Control Safeguard selected through ISO 27001/27002 and the SoA.
07 Evidence Record proving the control exists and operates.
08 Audit Independent verification, finding, or assurance result.

Detailed Note

No published risk scenario is linked to this control yet. Create or link a risk note under the risk knowledge base before treating this control as fully mapped.

Implementation Activities

See A.6.2 Terms and Conditions of Employment.

Evidence Required

See A.6 People Controls MOC and the relevant audit evidence pack.

Audit Questions

  • AQ-ISO27001-A.6.2 Audit Question
  • How does the organization prove ISO27001-A.6.2 is implemented and operating?
  • What evidence shows ownership, review cadence, exceptions, and corrective action?
  • Which failed condition would create an audit finding for this control?

Map this control to personnel risk scenarios, treatment decisions, residual risk, and review triggers.

Use ISO/IEC 27002 guidance to interpret implementation activities, evidence expectations, and control review needs.

Software Architecture Mapping

Relevant objects:

  • control
  • personnel
  • onboarding
  • contract
  • evidence
  • audit_question
  • Iso27001
  • ISO27002
  • Annex a
  • Control
  • Employment terms
  • Confidentiality
  • Personnel security

Note Metadata

Aliases: ISO27001-A.6.2

Source: 06-Control-Knowledge-Base/ISO27001-A.6.2-Terms-and-Conditions-of-Employment.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

3

links

01

Requirement context

Primary control text, framework notes, or adjacent controls this note points to.

02

Audit checks

Audit questions, checklists, or review material connected to the control.

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.