Confidentiality or Non-Disclosure Agreements - ISO 27001 Annex A Control

ISO 27001 Annex A 6.6

Where confidentiality matters, the agreement makes the obligation explicit and enforceable.

ISO 27001 Annex A 6.6 - Confidentiality or Non-Disclosure Agreements

Confidentiality agreements give the organisation a documented and enforceable position when sensitive information is shared with someone whose obligation might otherwise be unclear. Employees usually have confidentiality clauses in their main contracts, but contractors, consultants, business partners, third parties evaluating products or services, and other ad-hoc relationships often need a specific agreement to establish the position.

The agreement should be tailored to the situation. A standard NDA template covers most low-risk situations - a contractor receiving routine commercial information, for example. Higher-risk situations may need bespoke agreements - sharing source code, customer data or specific intellectual property typically warrants more specific terms covering the exact information, the permitted uses, the duration of obligations and the consequences of breach.

The control also asks for regular review. Old NDAs may reference outdated business arrangements, missing parties or information categories that no longer match the organisation's needs. Where standard templates are used, those templates should be reviewed periodically and aligned with current legal advice and business practice.

The audit question is whether the right confidentiality agreement is in place for each significant relationship. I will sample a range of third parties handling sensitive information and check that an appropriate agreement covers each. Gaps - relationships where sensitive information is shared without a documented confidentiality basis - are findings.

Practical Compliance Guidance

Confidentiality and non-disclosure arrangements are described in the IMS1 Manual in Section 8.2 on Information Security Arrangements. The F-HR15 Employment Letter and Contract can be used as this includes a confidentiality agreement.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit including the IMS1 Manual, policies, procedures, registers and audit checklists.
F-HR15 Employment Letter and Contract	This is two separate HR file templates for providing a prospective employee with an offer of employment (F-HR15A) and a simple employment contract (F-HR15B). Includes a confidentiality agreement.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

When does an NDA need to be one-way versus two-way?

A one-way NDA covers the situation where one party shares confidential information and the other commits to protect it - typical for contractor engagements where the organisation shares its information. A two-way (mutual) NDA covers situations where both parties may share confidential information - typical for partnership discussions or evaluations of joint opportunities. Use whichever reflects the actual flow of information.

How long should the obligations last?

It depends on the nature of the information. For routine commercial information, two to five years from disclosure is typical. For trade secrets and information of long-term value, an indefinite or perpetual obligation may be appropriate. The duration should reflect how long the information is genuinely sensitive, balanced against what the receiving party can reasonably be asked to commit to.

Should NDAs be tracked centrally?

Yes. Without central tracking, the organisation cannot easily answer whether a particular party has an agreement in place, or which obligations apply to a given relationship. A simple register listing the parties, the date, the scope and the duration is usually sufficient. The supplier register or contract register can serve this purpose.

Further Resources