The basics
ISO 27001 control A.6.2 Terms and conditions of employment requires companies to include security clauses in their agreements with employees and third parties, in order for everyone to know exactly what is expected of them with regard to security.
Documentation
ISO 27001 control A.6.2 Terms and conditions of employment can be documented by inserting security clauses into existing agreements with the personnel. Some additional documents can be signed, like Statement of Acceptance of ISMS Documents, Confidentiality Statement, or NDAs.
Implementation
In order to comply with control A.6.2 Terms and conditions of employment you might implement the following:
- Technology — companies of all sizes may use existing tools to handle documents to write and sign security clauses in agreements with employees and suppliers.
- Organization/processes — you should set up a process for defining which information security requirements must be included as terms and conditions of employment. You can document those processes by inserting security clauses into existing agreements with the personnel; alternatively, some additional documents can be signed, like a Statement of Acceptance of ISMS Documents, a Confidentiality Statement, or NDAs.
- People — make employees aware of why security terms and conditions are needed, and train HR personnel on how to identify and include them in the company’s documentation.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.6.2 Terms and conditions of employment: if security clauses are included in contractual agreements with employees and third parties.
