This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.6.2 Terms and conditions of employment.
ISO 27001: 2022 Control Description
The employment contractual agreements shall state the personnel’s and the organisation’s responsibilities for information security.
Purpose
To ensure that personnel understand their information security responsibilities in relation to their roles.
Guidance on implementation
Contractual obligations for personnel should reflect the organisation’s information security policy and relevant topic-specific policies. Additionally, the following aspects should be clarified and included:
a) Confidentiality or non-disclosure agreements that personnel with access to confidential information should sign before being granted access to information and other associated assets;
b) Legal responsibilities and rights (e.g. concerning copyright laws or data protection legislation);
c) Responsibilities for classifying information and managing the organisation’s information and other associated assets, information processing facilities, and information services handled by personnel;
d) Responsibilities for handling information received from interested parties;
e) Actions to be taken if personnel fail to comply with the organisation’s security requirements.
Information security roles and responsibilities should be communicated to candidates during the pre-employment process.
The organisation should ensure that personnel agree to terms and conditions concerning information security. These terms and conditions should be appropriate to the nature and extent of their access to the organisation’s assets related to information systems and services. The terms and conditions concerning information security should be reviewed whenever laws, regulations, the information security policy, or topic-specific policies change.
Where applicable, responsibilities outlined in the terms and conditions of employment should continue for a defined period after the end of employment.
Other Information
A code of conduct can be used to outline personnel’s information security responsibilities related to confidentiality, PII protection, ethics, appropriate use of the organisation’s information and other associated assets, as well as the reputable practices expected by the organisation.
An external party with which supplier personnel are associated may be required to enter into contractual agreements on behalf of the contracted individual.
If the organisation is not a legal entity and does not have employees, equivalent contractual agreements and terms and conditions should be considered in line with this control’s guidance.