All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI SCIM Integration
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base DORA Knowledge Base
Company Security and customers first
About News Partners Contact

Confidentiality or non-disclosure agreements

Annex A control 6.6 of the 2022 version of the ISO 27001 standard can be mapped to ISO 27001:2013 Annex A 13.2.4

There should be measures put in place by an organisation to protect confidential or personal information from unauthorised disclosure, establishing confidentiality agreements. This is the focus of control 6.6.

Considering the organisation’s unique information security needs, organisations should work with interested parties and staff to create agreements that cover the kind of information to be managed, its classification level, its purpose, and the access levels allowed.

Understanding non-disclosure agreements

Otherwise known as an NDA or confidentiality agreement, a non-disclosure agreement is a legal document barring the disclosure of trade secrets or confidential information. This could cover a company’s business plan, finances, customer data, or other exclusive details. NDAs are utilised in a variety of circumstances, such as:

  • As part of a new employee’s contract. This ensures that new staff can’t divulge confidential information about the business, products, services, personnel or suppliers.
  • For former employees upon leaving, to stop them revealing sensitive information after employment.
  • Business deals like combining with another brand or purchasing a firm, to stop parties from revealing confidential information gained during the transaction.
  • Partnerships where one or both parties want to stop their existing client/supplier relationships being disclosed to a new partner. Each partner agrees to keep any confidential information shared between the two partners wholly confidential.

Why are confidentiality agreements important?

Confidentiality agreements serve a range of purposes, which is why they are so commonly used by businesses and individuals alike. These objectives include protecting trade secrets from competitors who could exploit it, and preventing staff from divulging sensitive data to other businesses.

Confidentiality agreements are also important in security intellectual property rights like copyrights and patents.

The purpose of control 6.6

Whenever personnel, partners, or vendors collaborate with an organisation, control 6.6 should be utilised. It focuses on securing an organisation’s data and making others aware of their obligation to safeguard information responsibly and lawfully. It is also useful in preserving intellectual property rights.

NDAs should be put in place before any confidential information is disclosed, clarifying the recipient’s responsibility to uphold the secrecy of the information.

Understanding Annex A control 6.6

Stopping confidential data being shared with third parties is the main goal of control 6.6. This requires organisations to establish legal arrangements that control the use of classified information.

The control defines confidential information as any data that has not been made public or shared with other businesses, such as trade secrets, client registries, formulas and business tactics.

Under control 6.6, organisations are encouraged to take necessary steps to ensure that access to sensitive data doesn’t continue after an employment or partnership has ended. When a third party leaves an organisation, steps must be taken to reduce the risk of them exposing sensitive information.

The importance of consent

In any case where disclosure of information is necessary, consent must be gained from the organisation owning the information. This is vital in safeguarding business activities, research and intellectual property.

NDAs must be prepared with the intent to protect all sensitive data in order to comply with control 6.6. It is vital that all parties involved understand their responsibilities and duties under the agreement both during and after the partnership.

Confidentiality clauses can be included in contracts stretching beyond the employment or partnership term, ensuring information remains secure. A departing employee must transfer all security duties to someone new, with all access removed.

Meeting the requirements of control 6.6

Control 6.6 outlines several key elements that should be considered when assessing or creating confidentiality and non-disclosure agreements. These are:

  • The data itself
  • The duration of the agreement, including any instances where confidentiality must be sustained perpetually
  • The necessary steps to be taken in the event of an agreement’s termination
  • The necessary action by signatories to prevent the unauthorised disclosure of agreement
  • The ownership of data, confidential business knowledge, and intellectual property
  • The rights to use confidential information in line with its authorisation
  • Regarding extremely classified data, the entitlement to oversee or evaluate activities
  • The processes involved in informing unapproved sharing of information
  • The destruction or return of information upon termination of the agreement
  • The measures to be taken if the agreement is breached

NDAs must abide by law, and should be reviewed periodically or if changes occur.

What’s changed since 2013?

Control 6.6 replaces 2013’s control 13.2.4, but while they are very similar they are not identical. The implementation instructions in the 2022 version differ slightly and are more detailed. More user-friendly language is used in the 2022 version to ensure maximum accessibility, and it also includes statements of intent and attribute tackles to aid understanding and implementation.