- See ISO 27002:2022 Control 6.6 for more information.
- See ISO 27001:2013 Annex A 13.2.4 for more information.
What is ISO 27001:2022 Annex A 6.6?
ISO 27001:2022 Annex A 6.6 states that organisations must put measures in place to protect confidential information from unauthorised disclosure. This includes establishing confidentiality agreements with interested parties and staff.
Organisations should create terms for their agreements with other parties after considering the organisation’s information security needs, the kind of information to be managed, its classification level, the purpose it is meant for, and the access the other party is allowed.
Confidentiality or Non-Disclosure Agreements Explained
A Confidentiality or Non-Disclosure Agreement (NDA) is a legal document that bars the disclosure of trade secrets and other confidential info.
Confidential information can encompass a company’s business plan, financial figures, customers lists, and other exclusive details. These contracts are utilised in a variety of circumstances, such as:
- A confidentiality agreement may form part of an employment contract for a fresh recruit. This ensures that the employee refrains from divulging any confidential information regarding the business, its products or services, personnel or suppliers. Businesses also employ non-disclosure agreements to bar their former employees from revealing sensitive information post-employment.
- Confidentiality agreements are regularly included in business deals, like purchasing a firm, combining with another company, or selling an enterprise. These agreements are designed to stop both parties from revealing any confidential information obtained during the transaction.
- Partnerships involve the use of confidentiality agreements when one party wants to safeguard their existing client or supplier relationships from being disclosed to a fresh partner. For example, if an enterprise requires funding from venture capitalists, it may request these investors to sign NDAs to secure confidential data concerning the company’s products or services.
Partnerships often feature confidentiality clauses in their partnership agreement, whereby each partner agrees to keep any confidential information acquired during the partnership wholly confidential.
Purpose of Confidentiality Agreements
Confidentiality agreements are commonly used by individuals and businesses alike. They serve a range of objectives, including:
- Protecting their trade secrets and proprietary information from competitors who could exploit it.
- Prevent staff from divulging sensitive corporate data to other organisations.
- Securing intellectual property rights such as patents and copyrights.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
What Is the Purpose of ISO 27001:2022 Annex A 6.6?
ISO 27001:2022 Annex A 6.6 should be applied to ensure the security of data when personnel, partners, and vendors collaborate with an organisation.
This control is designed to secure the organisation’s data and to inform signatories of their obligation to manage and safeguard information responsibly and lawfully. It also serves as a tool for preserving intellectual property rights, for instance, patents, trademarks, trade secrets and copyrights.
Employers should ensure a Non-Disclosure Agreement is in place before any confidential information is disclosed to an employee or contractor. The Agreement will clarify the individual’s responsibility to maintain the secrecy of the information and the duration of the period of confidentiality after employment has ended.
Annex A 6.6 Explained
ISO 27001:2022 Annex A Control 6.6 is designed to safeguard your organisation’s intellectual property and business interests by stopping the divulging of confidential data to third parties. It involves the establishment of a legal agreement or arrangement between your organisation and its personnel, associates, contractors, suppliers and other outsiders, that controls the use of classified information.
Confidential information is any data that has not been made public or shared with other organisations in the same sector. This encompasses trade secrets, client registries, formulas and business strategies.
Assess control when deciding if a third party will be allowed access to sensitive personal data and if steps must be taken to guarantee they do not keep or continue to access the organisation’s sensitive personal data when they leave.
When a third party is leaving an organisation, and there is potential for sensitive data to be exposed, the organisation must take necessary steps to prevent disclosure before or shortly after their departure.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
What Is Involved and How to Meet the Requirements
ISO 27001:2022 Annex A 6.6 requires that parties to the agreement refrain from disclosing confidential information that falls under its scope. Consent from the organisation is needed in any cases where disclosure is necessary, barring a court order. This provision is essential to safeguard data concerning business activities, intellectual property and research and development.
To comply with Annex A 6.6, a confidentiality and non-disclosure agreement/contract must be prepared with precision to protect all trade secrets and sensitive data/information related to the company’s activities and transactions. It is essential that both parties comprehend their duties and responsibilities under the agreement during and after the conclusion of the business partnership.
A confidentiality clause may be included in contracts that stretch beyond the employee’s employment or the engagement of third parties. This should be done to ensure the information remains secure.
It is essential that a departing employee or one changing job has their security duties and responsibilities transferred to someone new, with all access credentials removed and fresh ones created.
When assessing confidentiality and non-disclosure agreements, one should bear several elements in mind.:
- The confidential data that must be safeguarded.
- The Agreement’s duration, including occasions when confidentiality must be sustained perpetually or until the data is made public, shall be determined.
- In the event of the termination of an agreement, the necessary steps that must be taken.
- Signatories must take all necessary action to prevent the unauthorised disclosure of information.
- Ownership of data, confidential business knowledge and intellectual property that has an effect on confidentiality.
- The signatory has the right to use confidential information in accordance with the authorisation.
- The entitlement to oversee or evaluate activities involving extremely classified data.
- The process for informing and informing of unapproved revelations or spills of private information must be followed.
- Upon termination of this agreement, any data or information shared between parties must be returned or destroyed.
- If the agreement is not adhered to, what measures will be taken.
The organisation should ensure that confidentiality and non-disclosure agreements abide by the laws of the relevant jurisdiction.
Periodically and when changes affect their requirements, it is necessary to review confidentiality and non-disclosure agreements.
Further details on this process can be located in the ISO 27001:2022 standard.
Changes and Differences from ISO 27001:2013
ISO 27001:2022 Annex A 6.6 is a modification of ISO 27001:2013 Annex A 13.2.4, rather than a new control.
The two Annex A Controls have various parallels, though they are not identical. For example, the implementation instructions of both are alike, though not the same.
The first part of ISO 27001:2013 implementation guidance, Annex A 13.2.4, emphasises that:
“Confidentiality or non-disclosure agreements should address the requirement to protect confidential information using legally enforceable terms. Confidentiality or non-disclosure agreements are applicable to external parties or employees of the organisation.
Elements should be selected or added in consideration of the type of the other party and its permissible access or handling of confidential information.”
Annex A 6.6 of ISO 27001:2022 declares that any organisation must take appropriate measures to:
“Confidentiality or non-disclosure agreements should address the requirement to protect confidential information using legally enforceable terms. Confidentiality or non-disclosure agreements are applicable to interested parties and personnel of the organisation.
Based on an organisation’s information security requirements, the terms in the agreements should be determined by taking into consideration the type of information that will be handled, its classification level, its use and the permissible access by the other party.”
Both controls have an analogous structure and function in their individual contexts, though they vary in semantic meaning. Annex A 6.6 uses a more straightforward, user-friendly language, making it easier to comprehend the content and context. Hence, users can more readily identify with the standard.
The 2022 instalment of ISO 27001 includes statements of intent and attribute tables per Annex A Control, to aid understanding and successful implementation. This is not provided in the 2013 edition.
Table of All ISO 27001:2022 Annex A Controls
In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Organisational Controls | Annex A 5.1 |
Annex A 5.1.1 Annex A 5.1.2 |
Policies for Information Security |
| Organisational Controls | Annex A 5.2 | Annex A 6.1.1 | Information Security Roles and Responsibilities |
| Organisational Controls | Annex A 5.3 | Annex A 6.1.2 | Segregation of Duties |
| Organisational Controls | Annex A 5.4 | Annex A 7.2.1 | Management Responsibilities |
| Organisational Controls | Annex A 5.5 | Annex A 6.1.3 | Contact With Authorities |
| Organisational Controls | Annex A 5.6 | Annex A 6.1.4 | Contact With Special Interest Groups |
| Organisational Controls | Annex A 5.7 | NEW | Threat Intelligence |
| Organisational Controls | Annex A 5.8 |
Annex A 6.1.5 Annex A 14.1.1 |
Information Security in Project Management |
| Organisational Controls | Annex A 5.9 |
Annex A 8.1.1 Annex A 8.1.2 |
Inventory of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.10 |
Annex A 8.1.3 Annex A 8.2.3 |
Acceptable Use of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.11 | Annex A 8.1.4 | Return of Assets |
| Organisational Controls | Annex A 5.12 | Annex A 8.2.1 | Classification of Information |
| Organisational Controls | Annex A 5.13 | Annex A 8.2.2 | Labelling of Information |
| Organisational Controls | Annex A 5.14 |
Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3 |
Information Transfer |
| Organisational Controls | Annex A 5.15 |
Annex A 9.1.1 Annex A 9.1.2 |
Access Control |
| Organisational Controls | Annex A 5.16 | Annex A 9.2.1 | Identity Management |
| Organisational Controls | Annex A 5.17 |
Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3 |
Authentication Information |
| Organisational Controls | Annex A 5.18 |
Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6 |
Access Rights |
| Organisational Controls | Annex A 5.19 | Annex A 15.1.1 | Information Security in Supplier Relationships |
| Organisational Controls | Annex A 5.20 | Annex A 15.1.2 | Addressing Information Security Within Supplier Agreements |
| Organisational Controls | Annex A 5.21 | Annex A 15.1.3 | Managing Information Security in the ICT Supply Chain |
| Organisational Controls | Annex A 5.22 |
Annex A 15.2.1 Annex A 15.2.2 |
Monitoring, Review and Change Management of Supplier Services |
| Organisational Controls | Annex A 5.23 | NEW | Information Security for Use of Cloud Services |
| Organisational Controls | Annex A 5.24 | Annex A 16.1.1 | Information Security Incident Management Planning and Preparation |
| Organisational Controls | Annex A 5.25 | Annex A 16.1.4 | Assessment and Decision on Information Security Events |
| Organisational Controls | Annex A 5.26 | Annex A 16.1.5 | Response to Information Security Incidents |
| Organisational Controls | Annex A 5.27 | Annex A 16.1.6 | Learning From Information Security Incidents |
| Organisational Controls | Annex A 5.28 | Annex A 16.1.7 | Collection of Evidence |
| Organisational Controls | Annex A 5.29 |
Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3 |
Information Security During Disruption |
| Organisational Controls | Annex A 5.30 | NEW | ICT Readiness for Business Continuity |
| Organisational Controls | Annex A 5.31 |
Annex A 18.1.1 Annex A 18.1.5 |
Legal, Statutory, Regulatory and Contractual Requirements |
| Organisational Controls | Annex A 5.32 | Annex A 18.1.2 | Intellectual Property Rights |
| Organisational Controls | Annex A 5.33 | Annex A 18.1.3 | Protection of Records |
| Organisational Controls | Annex A 5.34 | Annex A 18.1.4 | Privacy and Protection of PII |
| Organisational Controls | Annex A 5.35 | Annex A 18.2.1 | Independent Review of Information Security |
| Organisational Controls | Annex A 5.36 |
Annex A 18.2.2 Annex A 18.2.3 |
Compliance With Policies, Rules and Standards for Information Security |
| Organisational Controls | Annex A 5.37 | Annex A 12.1.1 | Documented Operating Procedures |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| People Controls | Annex A 6.1 | Annex A 7.1.1 | Screening |
| People Controls | Annex A 6.2 | Annex A 7.1.2 | Terms and Conditions of Employment |
| People Controls | Annex A 6.3 | Annex A 7.2.2 | Information Security Awareness, Education and Training |
| People Controls | Annex A 6.4 | Annex A 7.2.3 | Disciplinary Process |
| People Controls | Annex A 6.5 | Annex A 7.3.1 | Responsibilities After Termination or Change of Employment |
| People Controls | Annex A 6.6 | Annex A 13.2.4 | Confidentiality or Non-Disclosure Agreements |
| People Controls | Annex A 6.7 | Annex A 6.2.2 | Remote Working |
| People Controls | Annex A 6.8 |
Annex A 16.1.2 Annex A 16.1.3 |
Information Security Event Reporting |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Physical Controls | Annex A 7.1 | Annex A 11.1.1 | Physical Security Perimeters |
| Physical Controls | Annex A 7.2 |
Annex A 11.1.2 Annex A 11.1.6 |
Physical Entry |
| Physical Controls | Annex A 7.3 | Annex A 11.1.3 | Securing Offices, Rooms and Facilities |
| Physical Controls | Annex A 7.4 | NEW | Physical Security Monitoring |
| Physical Controls | Annex A 7.5 | Annex A 11.1.4 | Protecting Against Physical and Environmental Threats |
| Physical Controls | Annex A 7.6 | Annex A 11.1.5 | Working In Secure Areas |
| Physical Controls | Annex A 7.7 | Annex A 11.2.9 | Clear Desk and Clear Screen |
| Physical Controls | Annex A 7.8 | Annex A 11.2.1 | Equipment Siting and Protection |
| Physical Controls | Annex A 7.9 | Annex A 11.2.6 | Security of Assets Off-Premises |
| Physical Controls | Annex A 7.10 |
Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5 |
Storage Media |
| Physical Controls | Annex A 7.11 | Annex A 11.2.2 | Supporting Utilities |
| Physical Controls | Annex A 7.12 | Annex A 11.2.3 | Cabling Security |
| Physical Controls | Annex A 7.13 | Annex A 11.2.4 | Equipment Maintenance |
| Physical Controls | Annex A 7.14 | Annex A 11.2.7 | Secure Disposal or Re-Use of Equipment |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Technological Controls | Annex A 8.1 |
Annex A 6.2.1 Annex A 11.2.8 |
User Endpoint Devices |
| Technological Controls | Annex A 8.2 | Annex A 9.2.3 | Privileged Access Rights |
| Technological Controls | Annex A 8.3 | Annex A 9.4.1 | Information Access Restriction |
| Technological Controls | Annex A 8.4 | Annex A 9.4.5 | Access to Source Code |
| Technological Controls | Annex A 8.5 | Annex A 9.4.2 | Secure Authentication |
| Technological Controls | Annex A 8.6 | Annex A 12.1.3 | Capacity Management |
| Technological Controls | Annex A 8.7 | Annex A 12.2.1 | Protection Against Malware |
| Technological Controls | Annex A 8.8 |
Annex A 12.6.1 Annex A 18.2.3 |
Management of Technical Vulnerabilities |
| Technological Controls | Annex A 8.9 | NEW | Configuration Management |
| Technological Controls | Annex A 8.10 | NEW | Information Deletion |
| Technological Controls | Annex A 8.11 | NEW | Data Masking |
| Technological Controls | Annex A 8.12 | NEW | Data Leakage Prevention |
| Technological Controls | Annex A 8.13 | Annex A 12.3.1 | Information Backup |
| Technological Controls | Annex A 8.14 | Annex A 17.2.1 | Redundancy of Information Processing Facilities |
| Technological Controls | Annex A 8.15 |
Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3 |
Logging |
| Technological Controls | Annex A 8.16 | NEW | Monitoring Activities |
| Technological Controls | Annex A 8.17 | Annex A 12.4.4 | Clock Synchronization |
| Technological Controls | Annex A 8.18 | Annex A 9.4.4 | Use of Privileged Utility ProgramsAccess Rights |
| Technological Controls | Annex A 8.19 |
Annex A 12.5.1 Annex A 12.6.2 |
Installation of Software on Operational Systems |
| Technological Controls | Annex A 8.20 | Annex A 13.1.1 | Networks Security |
| Technological Controls | Annex A 8.21 | Annex A 13.1.2 | Security of Network Services |
| Technological Controls | Annex A 8.22 | Annex A 13.1.3 | Segregation of Networks |
| Technological Controls | Annex A 8.23 | NEW | Web filtering |
| Technological Controls | Annex A 8.24 |
Annex A 10.1.1 Annex A 10.1.2 |
Use of Cryptography |
| Technological Controls | Annex A 8.25 | Annex A 14.2.1 | Secure Development Life Cycle |
| Technological Controls | Annex A 8.26 |
Annex A 14.1.2 Annex A 14.1.3 |
Application Security Requirements |
| Technological Controls | Annex A 8.27 | Annex A 14.2.5 | Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents |
| Technological Controls | Annex A 8.28 | NEW | Secure Coding |
| Technological Controls | Annex A 8.29 |
Annex A 14.2.8 Annex A 14.2.9 |
Security Testing in Development and Acceptance |
| Technological Controls | Annex A 8.30 | Annex A 14.2.7 | Outsourced Development |
| Technological Controls | Annex A 8.31 |
Annex A 12.1.4 Annex A 14.2.6 |
Separation of Development, Test and Production Environments |
| Technological Controls | Annex A 8.32 |
Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4 |
Change Management |
| Technological Controls | Annex A 8.33 | Annex A 14.3.1 | Test Information |
| Technological Controls | Annex A 8.34 | Annex A 12.7.1 | Protection of Information Systems During Audit Testing |
Who Is in Charge of This Process?
Per Annex A 6.6 of ISO 27001:2022, the Human Resources department typically oversees drafting and enforcing the Confidentiality/Non-Disclosure Agreement in most organisations, working in conjunction with the relevant third party’s supervising manager/department.
The Information Security Officer, Sales, or Production Manager can all act as the Supervising Manager.
The departments and heads must guarantee that any third-party vendors employed by the organisation have proper safety precautions to protect confidential data from unapproved release or utilisation.
All employees must sign a confidentiality agreement at the start of their employment with the company.
In many organisations, irrespective of size, all staff who handle confidential information are required to sign a confidentiality or non-disclosure agreement.
Employees in sales, marketing, customer service and other departments who interact with confidential information regarding clients, customers and vendors must be given training.
Organisations should have policies in place mandating staff to sign a confidentiality agreement prior to gaining access to sensitive information concerning clients or vendors, even if no written agreement is present.
Failure to have a confidentiality agreement policy may lead to serious risks. These risks include:
- Employees can, unintentionally, divulge confidential information to individuals outside of the business who should not have access, thus damaging the organisation.
- An employee may divulge sensitive information to a rival.
- A disgruntled worker may steal the firm’s intellectual property and employ it for their own gain.
- Workers may inadvertently leave confidential data on their desktops at the office or on their laptops at home, risking theft by a cyber-criminal.
[case_study_slider ids=”88859,101932,92016″ autoplay=”true” autoplay_speed=”5000″]
What Do These Changes Mean for You?
The ISO 27001 standard remains largely unchanged. To enhance usability, it was simply updated. Organisations adhering to this standard thus need not take any extra steps to remain compliant.
In order to meet the changes in ISO 27001:2022, the organisation may need to make slight alterations to their current processes and procedures, especially if they require re-certification.
To gain further insight into the impact of amending ISO 27001:2022 on your business, kindly consult our ISO 27001 guide.
How ISMS.Online Help
ISMS.Online facilitates organisations and businesses in meeting the standards of ISO 27001:2022 by providing a platform that simplifies the management of confidentiality or non-disclosure protocols, allowing them to be updated as necessary, tested, and tracked for efficacy.
We provide a cloud-based platform to manage Confidentiality and Information Security Management Systems, including non-disclosure clauses, risk management, policies, plans, and procedures, all in one centralised spot. The platform is user-friendly and has an intuitive interface that makes it simple to learn.
ISMS.Online facilitates:
- Record your processes conveniently with this user-friendly interface. No need to install any software on your machine or network!
- Streamline your risk assessment process by automating it.
- Ensure adherence to regulations with online reports and checklists.
- Maintain a register of advancement while striving for certification.
ISMS.Online provides a comprehensive selection of tools to help companies and organisations fulfill the requirements of ISO 27001 and/or ISO 27001 ISMS. We make it easy to comply with the industry standard and give you peace of mind.
Get in touch with us now to arrange a demonstration.
