The topic of confidentiality agreements is mentioned a number of times throughout ISO27001 annex A controls. In fact, it is referenced 9 times throughout the standard, which should give you some indication of the importance of this control.
So what is actually needed? How difficult is this control to implement?
What does the standard require?
The standard states that “Confidentiality or non-disclosure agreements reflecting the organisations needs for the protection of information shall be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.” (A6.6 – Confidentiality or non-disclosure agreements).
As always, we would draw your attention to the multiple requirements listed within the control’s requirements. It clearly states that confidentiality or non-disclosure agreements shall be;
Identified – do you where these clauses exist and why you need them?
Documented – they need to exist as documented information
Reviewed – regular review of these requirements is necessary
Signed – you need agreement to these clauses by some affirmative action
Why is this required?
Under ISO27001, Annex A control A6.2 - Terms and conditions of employment, we discussed how contracts of employment formalise your expectations of personnel and other interested parties. This is so that there can be no misunderstanding of what your expectations are of them, alongside what they will do for you.
Without clearly stating your expectations around confidentiality and non-disclosure, the ISO27001 Annex A control A 6.5 - Termination or change of employment responsibilities falls down too. This is because when someone leaves your employment, or a contract ends, you need to remind them of their obligations towards non-disclosure and confidentiality.
What the auditor is looking for
The auditor will typically want to see employment contracts, supplier and customer agreements that include clauses related to
Obligations of Confidentiality
Non-disclosure agreement
Use of Intellectual Property
The auditor will want to see evidence of regular reviews of these contracts, which can come in the form of meeting minutes and notes taken during your supplier review process. This is covered in the ISO27001 Annex A Control A5.22 - Monitoring, review and change management of supplier services.
What do you need to do?
Ensure that you review employment and supplier contracts to ensure that the above topics are covered. Speak to your legal specialist and ask them to draft an appropriate confidentiality and non-disclosure clause for inclusion within your contracts.
The clauses should clearly outline your need and expectations for confidentiality of information and data that the person reading the contract is likely to come in to contact with.
Q & A
What’s the difference between an NDA and Confidentiality Agreement?
First thing to say is, we’re not lawyers! But our understanding is that an NDA is most often a one-directional agreement (although two-way NDAs are quite common). The NDA commits one party to agree not to disclose information they are given access to.
A Confidentiality agreement most often involves multiple parties, who all agree to keep information they are given access to, confidential.
Drawing from our experience, the terms are frequently used interchangeably, but in a court of law, failing to have one or both adequately covered can lead to unfavourable outcomes. Don’t take a chance – seek legal advice on wording.
Difficulty rating
We rate this a 1 out of 5 difficulty rating. This isn’t difficult, because it is often covered elsewhere when you developed your contracts and policies. It requires input from your HR function, your supplier management function and most likely, your legal team too.
More questions?
Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.