This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.6.6 Confidentiality or non-disclosure agreements.
ISO 27001: 2022 Control Description
Confidentiality or non-disclosure agreements reflecting the organisation’s needs for the protection of information shall be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.
Purpose
To maintain the confidentiality of information accessible to personnel or external parties.
Guidance on implementation
Confidentiality or non-disclosure agreements should address the need to protect confidential information using legally enforceable terms. These agreements apply to interested parties and personnel of the organisation. Depending on the organisation’s information security requirements, the terms in the agreements should be determined by considering the type of information being handled, its classification level, its use, and the permissible access by the other party.
To identify requirements for confidentiality or non-disclosure agreements, the following elements should be considered:
a) a definition of the information to be protected (e.g. confidential information);
b) the expected duration of the agreement, including cases where it may be necessary to maintain confidentiality indefinitely or until the information becomes publicly available;
c) the required actions upon termination of the agreement;
d) the responsibilities and actions of signatories to prevent unauthorised disclosure of information;
e) the ownership of information, trade secrets, and intellectual property, and how this relates to the protection of confidential information;
f) the permitted use of confidential information and the rights of the signatory to use it;
g) the right to audit and monitor activities involving confidential information under highly sensitive circumstances;
h) the process for notifying and reporting unauthorised disclosure or leakage of confidential information;
i) the terms for returning or destroying information upon termination of the agreement;
j) the expected actions to be taken in the event of non-compliance with the agreement.
The organisation should ensure compliance with confidentiality and non-disclosure agreements in accordance with the applicable jurisdiction.
Requirements for confidentiality and non-disclosure agreements should be reviewed periodically and whenever changes occur that affect these requirements.
Other Information
Confidentiality and non-disclosure agreements protect the organisation's information and inform signatories of their responsibility to protect, use, and disclose information in a responsible and authorised manner.