ISO 27002:2022, Control 6.6 – Confidentiality or Non-Disclosure Agreements

Attributes Table

Controls are classified using attributes. Using these, you can quickly match your control selection with commonly used industry terms and specifications.

Attributes for control 6.5 are:

What Is the Purpose of Control 6.6?

Control 6.6 should be implemented in order to ensure the security of information when personnel, partners, and vendors work with an organisation.

This control is intended to safeguard the organisation’s information and to inform signatories of their responsibility to handle and protect information in a responsible and authorised way. It is also used as a tool for protecting intellectual property rights, such as patents, trademarks, trade secrets and copyrights.

It is important for employers to have a non-disclosure agreement in place before disclosing any confidential information to an employee or contractor. The agreement will set out how closely the individual should guard the information that they are exposed to and how long the period of confidentiality will run for after employment has ended.

Control 6.6 Explained

Control 6.6 aims to protect the intellectual property and business interests of your organisation by preventing the disclosure of sensitive information to third parties.It refers to a legal contract or an arrangement between your organisation and its employees, partners, contractors, vendors and other third parties that governs the use of confidential information.

Confidential information is any information that has not been made available to the public or other companies in a similar industry. Examples include trade secrets, customer lists, formulas and business plans.

The control should be implemented when assessing whether a third party will have access to sensitive personal data, and whether steps need to be taken to ensure that they do not retain and continue to access the organisation’s sensitive personal data after their departure.

When an organisation determines that a third party is exiting the business relationship, and there is a risk that sensitive organisational or company data may be disclosed as a result, then the organisation must take reasonable steps before that third party leaves, or as soon as possible after they have left, to prevent such disclosure.

What Is Involved and How to Meet the Requirements

Control 6.6 means that the parties to the agreement do not disclose confidential information covered by the agreement. The information may be disclosed only with written consent from the organisation or in accordance with a court order. This is important to protect sensitive information about business practices, intellectual property and research and development.

To meet the requirements of control 6.6, a “confidentiality” and “non-disclosure” agreement/ contract need to be carefully drafted so that it covers all trade secrets and sensitive data/information aspects of the organisation’s dealings and transactions. It is important that both parties understand their obligations under the contract and duties during and after the end of the business relationship.

A confidentiality clause may also be included in other contracts that extend beyond the end of the employee’s employment or third parties engagement.

It is imperative that the person who is leaving a business relationship or changing jobs has his or her security responsibilities and duties passed to a new person, and all access credentials deleted and a new one created.

The following elements should be considered when identifying confidentiality and non-disclosure agreements:

1. A description of the information that needs to be protected (e.g., confidential data);
2. Duration of an agreement, including situations where confidentiality must be maintained indefinitely or until the information becomes public;
3. The required actions in the event of termination of an agreement;
4. Responsibilities and actions signatories should take to prevent unauthorised disclosure of information;
5. How ownership of information, trade secrets, and intellectual property affects confidentiality;
6. The permitted use of confidential information, along with the rights of the signatory to use it;
7. The right to monitor or audit activities involving highly sensitive information;
8. The procedure for notifying and reporting unauthorised disclosures or leaks of confidential information;
9. The terms for returning or destroying information upon termination of the agreement;
10. The actions to be taken if the agreement is not followed.

The organisation should ensure that confidentiality and non-disclosure agreements are in compliance with the laws of the jurisdiction where they apply.

A review of confidentiality and nondisclosure agreements should occur periodically and whenever changes impact their requirements.

More information on how this works is available in the ISO 27002:2022 standard document.

Changes and Differences from ISO 27002:2013

Control 6.6 in the new ISO 27002:2022 is not a new control, rather, it is a modified version of control 13.2.4 in ISO 27002:2013.

While these two controls contain similar features, they do differ slightly. For example, while the implementation guidance in both versions are similar, they are not identical.

The first part of the implementation guidance in control 13.2.4 in ISO 27002:2013 states that:

“Confidentiality or non-disclosure agreements should address the requirement to protect confidential information using legally enforceable terms. Confidentiality or non-disclosure agreements are applicable to external parties or employees of the organisation. Elements should be selected or added in consideration of the type of the other party and its permissible access or handling of confidential information.”

The same section in control 6.6 of ISO 27002:2022 states that:

“Confidentiality or non-disclosure agreements should address the requirement to protect confidential information using legally enforceable terms. Confidentiality or non-disclosure agreements are applicable to interested parties and personnel of the organisation.

Based on an organisation’s information security requirements, the terms in the agreements should be determined by taking into consideration the type of information that will be handled, its classification level, its use and the permissible access by the other party.”

Both controls, though differing in semantic meaning, have similar structure and function in their respective contexts. However, control 6.6 uses a more simplified and user-friendly language so that the content and context are easier to understand. This means those who will be using the standard can relate to its content more easily.

In addition, the 2022 version of ISO 27002 includes statements of purpose and attributes tables for each control, which help users understand and implement the controls more effectively. These two sections are not available in the 2013 edition.

Who Is in Charge of This Process?

According to control 6.6 of the ISO 27002 standard, the human resources department usually manages the drafting and implementation of the confidentiality or non-disclosure agreement in most organisations, which involves collaborating with the supervising manager or department of the concerned third party.

The supervising manager could be the Information Security Officer, sales or production manager.

These departments and heads are also responsible for ensuring that any third party vendors used by the organisation have adequate security measures in place to protect confidential information from unauthorised disclosure or use.

They should make sure that all employees sign a confidentiality agreement when they start working for the company.

In most cases (depending on how large the organisation is), confidentiality or non-disclosure agreements are signed by all employees who have access to confidential information.

This typically includes any employee who works in sales, marketing, customer service or other departments where they might come into contact with confidential information regarding clients, customers or vendors.

In some cases, even if there isn’t an actual written agreement between two parties, organisations should have policies in place requiring employees to sign a confidentiality agreement before they’re allowed access to sensitive information about clients or vendors.

Some risks associated with not having an adequate confidentiality agreement policy in place include:

• Employees may inadvertently leak sensitive information to someone outside of the company who shouldn’t have access to it, causing damage to the organisation.
• An employee may disclose sensitive data to a competitor.
• A disgruntled employee may steal the company’s intellectual property (IP) and use it for his or her own benefit.
• Employees could accidentally leave sensitive information on their computer desktop at work or on their laptop at home, which could be stolen by a hacker.

What Do These Changes Mean for You?

The ISO 27002:2013 standard has not been significantly altered. The standard was only updated to facilitate usability. Organisations that are currently in compliance with ISO 27002:2013 do not need to take any additional steps to maintain compliance with the standard.

In order to comply with the revisions in ISO 27002:2022, the organisation may find it necessary to make some minor modifications to its existing processes and procedures, particularly if there is a need to re-certify.

To learn more about how these changes to control 6.6 will influence your organisation, please see our guide on ISO 27002:2022.

How ISMS.Online Helps

ISO 27002 is a widely recognised information security standard that provides a set of requirements for an organisation to protect the confidentiality, integrity, and availability of its information. The standard was developed by the International Organization for Standardization (ISO), a non-governmental organisation that sets, reviews and publishes international standards.

ISMS.Online helps organisations and businesses meet the requirements of ISO 27002 by providing them with a platform that makes it easy to manage their confidentiality or non-disclosure policies and procedures, update them as needed, test them and monitor their effectiveness.

We provide a cloud-based platform for the management of Confidentiality and Information Security Management Systems, including non-disclosure clauses, risk management, policies, plans and procedures, in one central location. The platform is easy to use and has an intuitive interface that makes it simple to learn how to use.

ISMS.Online enables you to:

• Document your processes. This intuitive interface allows you to document your processes without installing any software on your computer or network.
• Automate your risk assessment process.
• Demonstrate compliance easily with online reports and checklists.
• Keep a record of progress while working toward certification.

ISMS.Online offers a full range of features to help organisations and businesses achieve compliance with the industry standard ISO 27001 and/or ISO 27002 ISMS.

Please contact us today to schedule a demo.