The basics
ISO 27001 control A.6.6 Confidentiality or non-disclosure agreements requires companies to define such agreements and sign them with all employees and relevant third parties, in order for everyone to know the requirements for protecting the information.
Documentation
ISO 27001 control A.6.6 Confidentiality or non-disclosure agreements can be documented by signing Confidentiality Statements or NDAs with employees and other personnel.
This control must be documented.
Implementation
In order to comply with control A.6.6 Confidentiality or non-disclosure agreements you might implement the following:
- Technology — the tools to write and sign confidentiality and non-disclosure agreements may be the same ones used to handle other documents.
- Organization/processes — you should set up a process for defining the criteria with whom to sign confidentiality and non-disclosure agreements, and what should be their content. You can then create templates for Confidentiality Statements or NDAs.
- People — make employees aware of why Confidentiality Statements and NDAs are needed and train HR personnel on how to develop them, and make personnel aware of such requirements.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.6.6 Confidentiality or non-disclosure agreements: if confidentiality or non-disclosure agreements are defined and signed with all relevant personnel.
