Skip to content
Work smarter with our new enhanced navigation!
See how IO makes compliance easier. Read the blog
ISMS.online

ISO 27002:2022 – Control 6.6 – Confidentiality or Non-Disclosure Agreements

ISO 27002 Control 6.6 emphasises the importance of confidentiality or non-disclosure agreements (NDAs) to protect sensitive business information from unauthorised disclosure, aligning with updated security best practices.

Author
Sam Peters
Updated July 25, 2025
4/5 Stars

What is Control 6.6?

Control 6.6 in ISO 27002:2022 covers the need for organisations to prevent the leakage of confidential information by establishing confidentiality agreements with interested parties and personnel.

Organisations should determine the terms of their agreements with other parties based on the organisation’s information security requirements, taking into account the type of information to be handled, its classification level, its intended use, and permitted access by the other party.

Confidentiality or Non-Disclosure Agreements Explained

A confidentiality or non-disclosure agreement (NDA) is a legal document that prevents the release of trade secrets and other confidential information.

Confidential information may include the company’s business plan, financial data, customer lists and other proprietary information. These agreements can be used in a wide range of situations, including:

  • Employment – A confidentiality agreement may be part of the employment contract for a new employee. The agreement ensures that the employee does not disclose any confidential information about the company, its products or services, employees or vendors. Non-disclosure agreements are also used by businesses to prevent their employees from disclosing sensitive information after they leave their jobs.
  • Business transactions – Confidentiality agreements are often included in business transactions, such as purchasing a company, merging with another company or selling a business. The purpose of these agreements is to prevent both parties from disclosing any confidential information obtained during the transaction.
  • Partnerships – Confidentiality agreements are often used in business transactions when one party wants to protect its existing relationships with customers or suppliers from being disclosed to a new partner. For example, if a company is seeking funding from venture capitalists, it may ask those investors to sign NDAs in order to protect proprietary information about the company’s products or services.

Partnerships often include confidentiality clauses as part of their partnership agreement so each partner agrees not to disclose any confidential information obtained during their partnership.

Purpose of Confidentiality Agreements

Confidentiality agreements are entered into by individuals and businesses alike. They have many purposes, such as:

  • Protecting trade secrets and proprietary information from competitors who might otherwise use it against them;
  • Preventing an employee from sharing sensitive company information with another company; and
  • Protecting intellectual property (IP) rights like patents and copyrights.


ISMS.online gives you an 81% Headstart from the moment you log on

ISO 27001 made easy

An 81% Headstart from day one

We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.

Get started


Attributes Table of Control 6.6

Controls are classified using attributes. Using these, you can quickly match your control selection with commonly used industry terms and specifications.

Attributes for control 6.6 are:

Control Type Information Security Properties Cybersecurity Concepts Operational Capabilities Security Domains
#Preventive #Confidentiality #Protect #Asset Management #Protection
#Integrity #Information Protection
#Availability #Physical Security
#System and Network Security

What Is the Purpose of Control 6.6?

Control 6.6 should be implemented in order to ensure the security of information when personnel, partners, and vendors work with an organisation.

This control is intended to safeguard the organisation’s information and to inform signatories of their responsibility to handle and protect information in a responsible and authorised way. It is also used as a tool for protecting intellectual property rights, such as patents, trademarks, trade secrets and copyrights.

It is important for employers to have a non-disclosure agreement in place before disclosing any confidential information to an employee or contractor. The agreement will set out how closely the individual should guard the information that they are exposed to and how long the period of confidentiality will run for after employment has ended.

Control 6.6 Explained

Control 6.6 aims to protect the intellectual property and business interests of your organisation by preventing the disclosure of sensitive information to third parties.It refers to a legal contract or an arrangement between your organisation and its employees, partners, contractors, vendors and other third parties that governs the use of confidential information.

Confidential information is any information that has not been made available to the public or other companies in a similar industry. Examples include trade secrets, customer lists, formulas and business plans.

The control should be implemented when assessing whether a third party will have access to sensitive personal data, and whether steps need to be taken to ensure that they do not retain and continue to access the organisation’s sensitive personal data after their departure.

When an organisation determines that a third party is exiting the business relationship, and there is a risk that sensitive organisational or company data may be disclosed as a result, then the organisation must take reasonable steps before that third party leaves, or as soon as possible after they have left, to prevent such disclosure.



climbing

Free yourself from a mountain of spreadsheets

Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.

Book your demo


What Is Involved and How to Meet the Requirements

Control 6.6 means that the parties to the agreement do not disclose confidential information covered by the agreement. The information may be disclosed only with written consent from the organisation or in accordance with a court order. This is important to protect sensitive information about business practices, intellectual property and research and development.

To meet the requirements of control 6.6, a “confidentiality” and “non-disclosure” agreement/ contract need to be carefully drafted so that it covers all trade secrets and sensitive data/information aspects of the organisation’s dealings and transactions. It is important that both parties understand their obligations under the contract and duties during and after the end of the business relationship.

A confidentiality clause may also be included in other contracts that extend beyond the end of the employee’s employment or third parties engagement.

It is imperative that the person who is leaving a business relationship or changing jobs has his or her security responsibilities and duties passed to a new person, and all access credentials deleted and a new one created.

The following elements should be considered when identifying confidentiality and non-disclosure agreements:

  1. A description of the information that needs to be protected (e.g., confidential data);
  2. Duration of an agreement, including situations where confidentiality must be maintained indefinitely or until the information becomes public;
  3. The required actions in the event of termination of an agreement;
  4. Responsibilities and actions signatories should take to prevent unauthorised disclosure of information;
  5. How ownership of information, trade secrets, and intellectual property affects confidentiality;
  6. The permitted use of confidential information, along with the rights of the signatory to use it;
  7. The right to monitor or audit activities involving highly sensitive information;
  8. The procedure for notifying and reporting unauthorised disclosures or leaks of confidential information;
  9. The terms for returning or destroying information upon termination of the agreement;
  10. The actions to be taken if the agreement is not followed.

The organisation should ensure that confidentiality and non-disclosure agreements are in compliance with the laws of the jurisdiction where they apply.

A review of confidentiality and nondisclosure agreements should occur periodically and whenever changes impact their requirements.

More information on how this works is available in the ISO 27002:2022 standard document.

Changes and Differences from ISO 27002:2013

Control 6.6 in the new ISO 27002:2022 is not a new control, rather, it is a modified version of control 13.2.4 in ISO 27002:2013.

While these two controls contain similar features, they do differ slightly. For example, while the implementation guidance in both versions are similar, they are not identical.

The first part of the implementation guidance in control 13.2.4 in ISO 27002:2013 states that:

“Confidentiality or non-disclosure agreements should address the requirement to protect confidential information using legally enforceable terms. Confidentiality or non-disclosure agreements are applicable to external parties or employees of the organisation. Elements should be selected or added in consideration of the type of the other party and its permissible access or handling of confidential information.”

The same section in control 6.6 of ISO 27002:2022 states that:

“Confidentiality or non-disclosure agreements should address the requirement to protect confidential information using legally enforceable terms. Confidentiality or non-disclosure agreements are applicable to interested parties and personnel of the organisation.

Based on an organisation’s information security requirements, the terms in the agreements should be determined by taking into consideration the type of information that will be handled, its classification level, its use and the permissible access by the other party.”

Both controls, though differing in semantic meaning, have similar structure and function in their respective contexts. However, control 6.6 uses a more simplified and user-friendly language so that the content and context are easier to understand. This means those who will be using the standard can relate to its content more easily.

In addition, the 2022 version of ISO 27002 includes statements of purpose and attributes tables for each control, which help users understand and implement the controls more effectively. These two sections are not available in the 2013 edition.



ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.

Manage all your compliance, all in one place

ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.

Book your demo


Who Is in Charge of This Process?

According to control 6.6 of the ISO 27002 standard, the human resources department usually manages the drafting and implementation of the confidentiality or non-disclosure agreement in most organisations, which involves collaborating with the supervising manager or department of the concerned third party.

The supervising manager could be the Information Security Officer, sales or production manager.

These departments and heads are also responsible for ensuring that any third party vendors used by the organisation have adequate security measures in place to protect confidential information from unauthorised disclosure or use.

They should make sure that all employees sign a confidentiality agreement when they start working for the company.

In most cases (depending on how large the organisation is), confidentiality or non-disclosure agreements are signed by all employees who have access to confidential information.

This typically includes any employee who works in sales, marketing, customer service or other departments where they might come into contact with confidential information regarding clients, customers or vendors.

In some cases, even if there isn’t an actual written agreement between two parties, organisations should have policies in place requiring employees to sign a confidentiality agreement before they’re allowed access to sensitive information about clients or vendors.

Some risks associated with not having an adequate confidentiality agreement policy in place include:

  • Employees may inadvertently leak sensitive information to someone outside of the company who shouldn’t have access to it, causing damage to the organisation.
  • An employee may disclose sensitive data to a competitor.
  • A disgruntled employee may steal the company’s intellectual property (IP) and use it for his or her own benefit.
  • Employees could accidentally leave sensitive information on their computer desktop at work or on their laptop at home, which could be stolen by a hacker.

What Do These Changes Mean for You?

The ISO 27002:2013 standard has not been significantly altered. The standard was only updated to facilitate usability. Organisations that are currently in compliance with ISO 27002:2013 do not need to take any additional steps to maintain compliance with the standard.

In order to comply with the revisions in ISO 27002:2022, the organisation may find it necessary to make some minor modifications to its existing processes and procedures, particularly if there is a need to re-certify.

To learn more about how these changes to control 6.6 will influence your organisation, please see our guide on ISO 27002:2022.

New ISO 27002 Controls

New Controls
ISO/IEC 27002:2022 Control Identifier ISO/IEC 27002:2013 Control Identifier Control Name
5.7 NEW Threat intelligence
5.23 NEW Information security for use of cloud services
5.30 NEW ICT readiness for business continuity
7.4 NEW Physical security monitoring
8.9 NEW Configuration management
8.10 NEW Information deletion
8.11 NEW Data masking
8.12 NEW Data leakage prevention
8.16 NEW Monitoring activities
8.23 NEW Web filtering
8.28 NEW Secure coding
Organisational Controls
ISO/IEC 27002:2022 Control Identifier ISO/IEC 27002:2013 Control Identifier Control Name
5.1 05.1.1, 05.1.2 Policies for information security
5.2 06.1.1 Information security roles and responsibilities
5.3 06.1.2 Segregation of duties
5.4 07.2.1 Management responsibilities
5.5 06.1.3 Contact with authorities
5.6 06.1.4 Contact with special interest groups
5.7 NEW Threat intelligence
5.8 06.1.5, 14.1.1 Information security in project management
5.9 08.1.1, 08.1.2 Inventory of information and other associated assets
5.10 08.1.3, 08.2.3 Acceptable use of information and other associated assets
5.11 08.1.4 Return of assets
5.12 08.2.1 Classification of information
5.13 08.2.2 Labelling of information
5.14 13.2.1, 13.2.2, 13.2.3 Information transfer
5.15 09.1.1, 09.1.2 Access control
5.16 09.2.1 Identity management
5.17 09.2.4, 09.3.1, 09.4.3 Authentication information
5.18 09.2.2, 09.2.5, 09.2.6 Access rights
5.19 15.1.1 Information security in supplier relationships
5.20 15.1.2 Addressing information security within supplier agreements
5.21 15.1.3 Managing information security in the ICT supply chain
5.22 15.2.1, 15.2.2 Monitoring, review and change management of supplier services
5.23 NEW Information security for use of cloud services
5.24 16.1.1 Information security incident management planning and preparation
5.25 16.1.4 Assessment and decision on information security events
5.26 16.1.5 Response to information security incidents
5.27 16.1.6 Learning from information security incidents
5.28 16.1.7 Collection of evidence
5.29 17.1.1, 17.1.2, 17.1.3 Information security during disruption
5.30 5.30 ICT readiness for business continuity
5.31 18.1.1, 18.1.5 Legal, statutory, regulatory and contractual requirements
5.32 18.1.2 Intellectual property rights
5.33 18.1.3 Protection of records
5.34 18.1.4 Privacy and protection of PII
5.35 18.2.1 Independent review of information security
5.36 18.2.2, 18.2.3 Compliance with policies, rules and standards for information security
5.37 12.1.1 Documented operating procedures
People Controls
ISO/IEC 27002:2022 Control Identifier ISO/IEC 27002:2013 Control Identifier Control Name
6.1 07.1.1 Screening
6.2 07.1.2 Terms and conditions of employment
6.3 07.2.2 Information security awareness, education and training
6.4 07.2.3 Disciplinary process
6.5 07.3.1 Responsibilities after termination or change of employment
6.6 13.2.4 Confidentiality or non-disclosure agreements
6.7 06.2.2 Remote working
6.8 16.1.2, 16.1.3 Information security event reporting
Physical Controls
ISO/IEC 27002:2022 Control Identifier ISO/IEC 27002:2013 Control Identifier Control Name
7.1 11.1.1 Physical security perimeters
7.2 11.1.2, 11.1.6 Physical entry
7.3 11.1.3 Securing offices, rooms and facilities
7.4 NEW Physical security monitoring
7.5 11.1.4 Protecting against physical and environmental threats
7.6 11.1.5 Working in secure areas
7.7 11.2.9 Clear desk and clear screen
7.8 11.2.1 Equipment siting and protection
7.9 11.2.6 Security of assets off-premises
7.10 08.3.1, 08.3.2, 08.3.3, 11.2.5 Storage media
7.11 11.2.2 Supporting utilities
7.12 11.2.3 Cabling security
7.13 11.2.4 Equipment maintenance
7.14 11.2.7 Secure disposal or re-use of equipment
Technological Controls
ISO/IEC 27002:2022 Control Identifier ISO/IEC 27002:2013 Control Identifier Control Name
8.1 06.2.1, 11.2.8 User endpoint devices
8.2 09.2.3 Privileged access rights
8.3 09.4.1 Information access restriction
8.4 09.4.5 Access to source code
8.5 09.4.2 Secure authentication
8.6 12.1.3 Capacity management
8.7 12.2.1 Protection against malware
8.8 12.6.1, 18.2.3 Management of technical vulnerabilities
8.9 NEW Configuration management
8.10 NEW Information deletion
8.11 NEW Data masking
8.12 NEW Data leakage prevention
8.13 12.3.1 Information backup
8.14 17.2.1 Redundancy of information processing facilities
8.15 12.4.1, 12.4.2, 12.4.3 Logging
8.16 NEW Monitoring activities
8.17 12.4.4 Clock synchronization
8.18 09.4.4 Use of privileged utility programs
8.19 12.5.1, 12.6.2 Installation of software on operational systems
8.20 13.1.1 Networks security
8.21 13.1.2 Security of network services
8.22 13.1.3 Segregation of networks
8.23 NEW Web filtering
8.24 10.1.1, 10.1.2 Use of cryptography
8.25 14.2.1 Secure development life cycle
8.26 14.1.2, 14.1.3 Application security requirements
8.27 14.2.5 Secure system architecture and engineering principles
8.28 NEW Secure coding
8.29 14.2.8, 14.2.9 Security testing in development and acceptance
8.30 14.2.7 Outsourced development
8.31 12.1.4, 14.2.6 Separation of development, test and production environments
8.32 12.1.2, 14.2.2, 14.2.3, 14.2.4 Change management
8.33 14.3.1 Test information
8.34 12.7.1 Protection of information systems during audit testing

How ISMS.Online Helps

ISO 27002 is a widely recognised information security standard that provides a set of requirements for an organisation to protect the confidentiality, integrity, and availability of its information. The standard was developed by the International Organization for Standardization (ISO), a non-governmental organisation that sets, reviews and publishes international standards.

ISMS.Online helps organisations and businesses meet the requirements of ISO 27002 by providing them with a platform that makes it easy to manage their confidentiality or non-disclosure policies and procedures, update them as needed, test them and monitor their effectiveness.

We provide a cloud-based platform for the management of Confidentiality and Information Security Management Systems, including non-disclosure clauses, risk management, policies, plans and procedures, in one central location. The platform is easy to use and has an intuitive interface that makes it simple to learn how to use.

ISMS.Online enables you to:

  • Document your processes. This intuitive interface allows you to document your processes without installing any software on your computer or network.
  • Automate your risk assessment process.
  • Demonstrate compliance easily with online reports and checklists.
  • Keep a record of progress while working toward certification.

ISMS.Online offers a full range of features to help organisations and businesses achieve compliance with the industry standard ISO 27001 and/or ISO 27002 ISMS.

Please contact us today to schedule a demo.

Sam Peters

Sam is Chief Product Officer at ISMS.online and leads the development on all product features and functionality. Sam is an expert in many areas of compliance and works with clients on any bespoke or large-scale projects.

Take a virtual tour

Start your free 2-minute interactive demo now and see
ISMS.online in action!

Try it now
platform dashboard full on mint

We’re a Leader in our Field

4/5 Stars
Users Love Us
Leader - Winter 2026
Regional Leader - Winter 2026 UK
Regional Leader - Winter 2026 EU
Regional Leader- Winter 2026 Mid-market EU
Regional Leader - Winter 2026 EMEA
Regional Leader - Winter 2026 Mid-market EMEA

"ISMS.Online, Outstanding tool for Regulatory Compliance"

— Jim M.

"Makes external audits a breeze and links all aspects of your ISMS together seamlessly"

— Karen C.

"Innovative solution to managing ISO and other accreditations"

— Ben H.