A.6.6 ISO 27001

ISO 27001 A.6.6: Confidentiality or non-disclosure agreements

What This Control Requires

Confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information shall be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.

In Plain Language

Without a signed NDA, you have limited legal recourse if someone discloses your confidential information. This control is about putting proper confidentiality agreements in place with everyone who accesses sensitive data - employees, contractors, suppliers, and business partners.

NDAs need to be specific enough to be useful. They should clearly define what information is covered, what the signatory is obligated to do, what disclosures are permitted, how long the obligation lasts, and what happens if someone breaches the agreement.

The important part that many organisations miss: NDAs are not a sign-once-and-forget exercise. They need regular review to keep pace with the types of information you handle and any changes in the legal landscape. Auditors will check that you have a register, that coverage is complete, and that your templates are current.

How to Implement

Create standard NDA templates for different relationship types. You will likely need separate versions for employees (often built into employment contracts), contractors and consultants, suppliers and service providers, business partners, and visitors who may be exposed to confidential information.

Every NDA should include a clear definition of confidential information (by category rather than exhaustive listing), the receiving party's obligations, permitted disclosures (such as with prior written consent or as required by law), the duration of the confidentiality obligation, provisions for returning or destroying confidential information, remedies for breach including the right to seek injunctive relief, and governing law and jurisdiction.

Set up a process for identifying when NDAs are needed. The rule is simple: sign before sharing. Trigger points include new employee or contractor onboarding, engaging a new supplier or service provider, sharing information with potential business partners, and granting visitors access to sensitive areas or meetings.

Maintain a register of all signed NDAs tracking the signatory, date signed, scope, and expiration. Set up reminders for review and renewal before they expire. Store NDAs securely but make them accessible to people who need to verify coverage.

Review your NDA templates at least annually. Check whether the definition of confidential information still covers everything you handle, whether the duration is adequate, whether legal or regulatory changes require updates, and whether new types of relationships need new or modified templates.

Include NDA requirements in your supplier security management process. Every supplier who accesses confidential information needs a signed NDA. Where a supplier pushes back with their own template, negotiate terms that meet your requirements.

Evidence Your Auditor Will Request

NDA templates for different relationship types
Register of signed NDAs with tracking of signatories and expiration dates
Signed NDAs for all personnel, contractors, and relevant third parties
Records of periodic NDA reviews and updates
Process documentation for identifying when NDAs are required

Common Mistakes

NDAs are not in place for all personnel and third parties who access confidential information
NDA templates are outdated and do not cover current types of confidential information
No register or tracking system for signed NDAs
NDAs are signed at onboarding but not reviewed or renewed when circumstances change
NDAs lack clear definitions of what constitutes confidential information

Related Controls Across Frameworks

Framework	Control ID	Relationship
SOC 2	CC9.2	Partial overlap
GDPR	Art.28(3)(b)	Partial overlap
GDPR	Art.32	Partial overlap

Frequently Asked Questions

Can an NDA be part of the employment contract or does it need to be separate?

Both approaches work. A separate NDA is often preferable because it can survive termination of the employment contract, it can be updated independently without amending the contract, and it is easier to reference and enforce on its own. Many organisations do both: general confidentiality clauses in the employment contract plus a detailed standalone NDA for specifics.

How long should an NDA last?

Match the duration to the sensitivity of the information. For general business information, 2-5 years after the relationship ends is typical. For trade secrets, the obligation should last as long as the information qualifies as a trade secret, which could be indefinite. For project-specific NDAs, a defined period after project completion is common. Always check with legal counsel that the duration you choose is enforceable in your jurisdiction.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment