What does control A.3.18 require?
Confidentiality or non-disclosure agreements reflecting the organisation’s needs for the protection of PII shall be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.
This control sits within the Shared security controls annex (A.3) and establishes a fundamental contractual safeguard: everyone who has access to PII must be formally bound by confidentiality obligations. This creates a clear legal basis for enforcing data protection responsibilities at the individual level.
What does the Annex B implementation guidance say?
Annex B (section B.3.18) provides the following guidance:
- Ensure PII access is governed by confidentiality obligations — All individuals who have access to PII should be subject to a confidentiality obligation, whether through an employment contract, standalone NDA or equivalent agreement
- Specify obligation duration — Clearly state how long the confidentiality obligations apply, which may extend beyond the end of employment or the contract period
- Processor-specific requirements — For processors, the confidentiality agreement should ensure that employees and agents comply with the organisation’s data handling and protection policies
- See also A.3.19: Clear Desk and Clear Screen for related requirements
The guidance makes clear that confidentiality is not just a cultural expectation — it must be a documented, signed commitment with a defined duration, so that obligations survive role changes, employment termination and contract expiry.
How does this map to GDPR?
Control A.3.18 maps to several GDPR articles:
- Article 5(1)(f) — The integrity and confidentiality principle, requiring appropriate security measures including protection against unauthorised disclosure
- Article 28(3)(b) — Processors must ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
- Article 38(5) (related provision, not formally mapped in Annex D) — The Data Protection Officer is bound by secrecy or confidentiality concerning the performance of their tasks
Article 28(3)(b) is particularly significant because it makes confidentiality commitments a mandatory element of processor arrangements — not optional best practice.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was covered by Clause 6.10.2.4 (confidentiality or non-disclosure agreements). The 2025 edition retains the core requirements as A.3.18 with clearer separation between the control statement and implementation guidance in B.3.18. The emphasis on specifying the duration of obligations and ensuring processor employee compliance remains central. See the Annex F correspondence table for the full mapping.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What evidence do auditors expect?
When assessing compliance with A.3.18, auditors will typically look for:
- NDA/confidentiality agreement register — A maintained list of all individuals who have signed confidentiality agreements, including the date signed, the version of the agreement and the expiry or review date
- Signed agreements — Copies of signed agreements for all personnel and relevant interested parties with PII access
- Agreement content — That agreements specify the scope of confidentiality, the types of information covered, the duration of obligations and the consequences of breach
- Regular review evidence — Records showing that agreements are reviewed at planned intervals and updated when requirements change
- Coverage for all access types — Agreements covering permanent staff, contractors, temporary workers, consultants and any other parties with PII access
What are the related controls?
| Control | Relationship |
|---|---|
| A.3.9 Access rights | Confidentiality agreements should be signed before PII access is provisioned |
| A.3.17 Awareness and training | Training should reinforce the obligations staff have committed to in their agreements |
| A.3.10 Supplier agreements | Supplier contracts should require that supplier personnel sign confidentiality agreements |
| A.3.13 Legal and contractual requirements | Confidentiality obligations may be driven by legal or contractual requirements |
| A.3.14 Protection of records | Signed agreements must be stored securely and retained for the appropriate period |
Who does this control apply to?
A.3.18 is a shared control that applies to both PII controllers and PII processors. Controllers must ensure their own staff and third parties are bound by confidentiality. Processors have the additional obligation under GDPR Article 28(3)(b) to ensure that all persons authorised to process personal data have committed to confidentiality, which makes this control a contractual requirement, not just best practice.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
Why choose ISMS.online for managing confidentiality agreements?
ISMS.online provides practical tools for maintaining confidentiality agreements across your organisation:
- Agreement register — Maintain a central register of all confidentiality and NDA agreements, with signer details, dates, versions and review schedules
- Digital signature workflows — Issue, track and collect signed agreements electronically, with automated reminders for outstanding signatures
- Version management — When agreement templates are updated, track which personnel are on the current version and trigger re-signing where needed
- Expiry and review alerts — Automated notifications when agreements approach their review date or when confidentiality periods are about to expire
- Linked to access management — Connect confidentiality agreements to your access control register so that PII access is only granted once agreements are in place
FAQs
How long should confidentiality obligations last?
The implementation guidance requires organisations to specify the duration of obligations. In many cases, confidentiality obligations extend beyond the end of employment or the contract period — often for two to five years, or indefinitely for particularly sensitive data. The duration should be proportionate to the sensitivity of the PII and the potential harm from disclosure. Legal advice may be needed to ensure enforceability in relevant jurisdictions.
Can employment contract clauses replace standalone NDAs?
Yes, provided the employment contract contains sufficiently detailed confidentiality provisions that cover PII specifically, state the duration of obligations and are appropriate to the individual’s role. Many organisations include a general confidentiality clause in employment contracts and supplement it with a more detailed PII-specific agreement for personnel in high-risk roles. The key is that the obligations are documented and signed, regardless of the document format.
What happens if a person refuses to sign a confidentiality agreement?
If a person refuses to sign and their role requires PII access, they should not be granted access until the agreement is in place. For new employees, signing the confidentiality agreement should be a condition of employment or at least a condition of receiving PII access rights. For existing personnel, the organisation should work with HR and legal to resolve the situation, which may involve reassigning the individual to a role that does not require PII access.
