Terms and Conditions of Employment - ISO 27001 Annex A Control

ISO 27001 Annex A 6.2

The information security obligations need to be in the contract.

ISO 27001 Annex A 6.2 - Terms and Conditions of Employment

The control links information security to the employment relationship at a contractual level. Without that link, security obligations rely on policy documents that staff may not have signed and may dispute. With the link in place, security obligations are part of the deal of working for the organisation, with all the legal weight that contractual obligations carry.

The contract typically states that the worker will comply with the organisation's information security policies, will protect confidential information during and after employment, and accepts that misuse of information may be a disciplinary matter. The level of detail varies - some organisations build the obligations into the main contract, others use a separate confidentiality agreement, others rely on a policy schedule referenced in the contract. The mechanism is less important than the clarity.

The same logic extends to contractors and temporary staff. The procurement contract or engagement letter should carry equivalent obligations. Where a third party will handle the organisation's information, the contract should state how it must be protected, what happens at the end of the engagement, and what consequences apply if obligations are breached.

The test for this control is whether the contractual obligations actually mean something. If the contract says the worker will follow the security policies but no one knows where those policies are, the obligation is empty. If the contract is clear, the policies are accessible and acknowledgement is captured, the chain holds together.

Practical Compliance Guidance

The contractual arrangements for information security are described in the IMS1 manual at section 8.5 alongside the People Security Policy. The worker read-and-understood form provides evidence of acknowledgement.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
F-Q24 Worker Read and Understood	The acknowledgement form used to evidence that staff have read the relevant policies that sit alongside the contractual obligations. Use as the standard supporting record.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Should information security obligations be in the main contract or a separate document?

Either approach can work. Including the obligations in the main contract embeds them in the headline employment terms. Using a separate confidentiality agreement or policy schedule keeps the main contract simpler and allows the security obligations to be updated without reissuing the full contract. The choice often depends on existing HR practice.

What if existing contracts do not include security obligations?

Updates can be issued either as contract variations or as additional acknowledgements alongside the existing contract. The route should be agreed with HR and legal. The aim is that the current contractual position reflects the security obligations the organisation needs in place, even if that is achieved through a supplementary document rather than a full contract reissue.

Do obligations continue after the worker leaves?

Yes. Confidentiality obligations and obligations to return information typically continue after the employment relationship ends. The contract should make this clear, and the leaver process under A.6.5 should remind the worker of the continuing obligations at the point of departure.

Further Resources