top of page

ISO27001:2022 - A6.2 – Terms and conditions of employment

ISO27001 is about protecting your most important assets, and possibly one of the most important aspects of this is defining expectations of those who will interact with these assets. That’s what this control is looking to address.


Ensuring everyone is clear about their role and understanding expectations isn’t just for ISO27001 or for Information Security. We would suggest this is a fundamental requirement of business, and its important to do it right, right from the start.


What does the standard require?

The standard states that “The employment contractual agreements shall state the personnel's and the organisations responsibilities for information security.” (A6.2 – Terms and conditions of employment).


Look carefully at the control; Can you see there’s actually two requirements here. The control requires that you define the personnel’s and organisations responsibilities.  Therefore we need to look at this ISO27001 control from two perspectives.


Why is this required?

Contracts of employment formalise your expectations of personnel, so that there can be no misunderstanding of what you will do for them, and what they will do for you.  When you will pay them, what their holiday entitlement is, is just as important (to them) as it is for you to define what their role is and when you expect them to work.


Without defined terms and conditions how are you or anyone expected to know what they are required to do?


Although technically speaking having a written contract in place isn’t against the law, not having a written contract in place could place you and them at risk.


Having a contract in place protects you and the personnel from being mistreated and therefore should be considered a foundational control for your business.


What the auditor is looking for

For this ISO27001 control, the auditor will want to see that Terms and Conditions, or Contract templates, along with evidence of signed contracts.  Your contracts should include clauses related to information security.  These topics will specifically include;


  • Job Descriptions

  • Non-Disclosure

  • The need for confidentiality (both during and after employment ends)

  • Information Security

  • Data Protection

  • Intellectual property and copyright

  • Definition of mis-conduct (which includes breach of policies)


They will want to talk through the process of obtaining signing contracts. For example do you send the contract before the start date? Do you use an electronic system to gather signed contracts? Finally, they may look for evidence that contracts are updated when someone changes roles is also often requested.


What do you need to do?

Speak to your HR specialist about what contracts are in place, and obtain a copy of them.


Ensure the contract covers the topics outlined above.  Remember contracts are specific to your business and will be structured in a number of ways, so don’t worry about how they are covered, just make sure you can evidence that these topics are covered.


If these topics are not covered, then either you or your HR or legal specialist will need to write the specific clauses.


If you don’t have a HR specialist to help, then seek legal advice, or at the very least buy an employment contract template.  But do so from a reputable HR or business forum, because this requirement is broader than Information Security and therefore you need to be confident that it isn’t simply satisfying an ISO27001 control!


Once you have a contract that covers these topics, ensure you have evidence of signed contracts, and how they are signed.  You don’t have to document the process, but during your own internal audits you should verify that the process works.


Q & A

Can I write an employment contract myself?

Technically speaking, yes. But we would not recommend it.  Your employment contracts protects you and your employee in a number of ways, so don’t leave it to chance.


Do I need to update Contracts regularly?

No, but they should be reviewed if someone’s role changes or there are significant changes in your business.  For example, you might need to update the contract because of a legal change in the country or sector. Back in 2018 many organisations needed to change their contracts due to the introduction of the General Data Protection Regulation (GDPR). Of course, if you change your expectations of an employee, such as changing their place, or hours of work then you will need to change their contract.


Difficulty rating

We rate this a 1 out of 5 difficulty rating. This isn’t a difficult control to implement, because you need to speak to your HR or legal specialist or function to evidence this control is in place. It’s not your job to write these contracts, but you do need to evidence that the topics outlined above are covered.   


More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our ISO27001 FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.


For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.



1 view0 comments


bottom of page