A.6.2 ISO 27001

ISO 27001 A.6.2: Terms and conditions of employment

What This Control Requires

The employment contractual agreements shall state the personnel's and the organization's responsibilities for information security.

In Plain Language

If an employee leaks confidential data and their contract says nothing about security responsibilities, you have a very weak position legally. This control ensures that employment contracts and agreements spell out information security obligations clearly for both sides.

On the employee side, contracts should cover the obligation to follow security policies, the responsibility to protect organisational information, confidentiality obligations that survive after they leave, and the consequences of non-compliance. On the organisation's side, commitments like providing security training and the necessary tools should also be documented.

This applies to everyone who touches your data - permanent employees, contractors, and temporary staff alike. The specific agreement type varies (employment contract versus service agreement), but the principle is the same: security responsibilities must be formally documented in a binding agreement.

How to Implement

Work with HR and legal to review and update your employment contracts and engagement agreements with proper information security clauses. Make sure the clauses are enforceable in your jurisdiction.

Key clauses to include: obligation to comply with information security policies and procedures, acknowledgment of responsibility for protecting organisational information and assets, specific confidentiality obligations covering company data, client data, and trade secrets, a prohibition on disclosing or misusing information obtained during employment, intellectual property assignment for work-related creations, obligation to report security incidents and policy violations, agreement to return all organisational assets on termination, and consequences for security policy violations.

Put a separate confidentiality or non-disclosure agreement (NDA) in place that extends beyond the employment period. Define how long post-employment confidentiality lasts - typically 2-5 years, or indefinitely for trade secrets. Make sure it covers all types of confidential information the person may encounter.

For contractors and third-party personnel, include equivalent security clauses in service agreements or require separate confidentiality agreements. Ensure staffing agencies include appropriate security terms in their own agreements with the people they provide.

Get signed agreements before granting access to information and systems. Maintain a register tracking all signed agreements and chase up any gaps. When agreements are updated, get personnel to review and re-sign.

Include security responsibilities in job descriptions to reinforce the contractual obligations. Review agreements periodically to keep them aligned with current policies and legal requirements.

Evidence Your Auditor Will Request

Employment contract templates showing information security clauses
Signed employment contracts with security terms for recent hires
Confidentiality and non-disclosure agreements for all personnel
Contractor and third-party service agreements with security obligations
Register tracking signed agreements and completion status for all personnel

Common Mistakes

Employment contracts do not include specific information security responsibilities
Confidentiality agreements do not extend beyond the employment period
Contractors and temporary staff do not sign security agreements before starting work
Agreements are outdated and do not reflect current security policies
No tracking mechanism to ensure all personnel have signed required agreements

Related Controls Across Frameworks

Framework	Control ID	Relationship
SOC 2	CC1.4	Related
GDPR	Art.28(3)(b)	Partial overlap
GDPR	Art.32	Partial overlap

Frequently Asked Questions

What happens if we cannot change existing employment contracts?

Use supplementary agreements or addendums that people sign separately. An information security acknowledgment form that references your security policies and establishes the employee's agreement to comply works well for this. Make sure all new contracts include the proper clauses going forward. Check with legal counsel on whether supplementary agreements are enforceable in your jurisdiction - in most cases they are.

Should security responsibilities be included in the contract or in a separate agreement?

Either works, and most organisations use a combination. Putting basic obligations directly in the employment contract gives you the strongest legal footing. But separate agreements like NDAs and acceptable use policies are more practical for detailed requirements because you can update them without amending the contract itself. A common approach: core obligations in the contract, detailed requirements in referenced policies that the employee acknowledges separately.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment