Control 6.6 in ISO 27002:2022 covers the need for organisations to prevent the leakage of confidential information by establishing confidentiality agreements with interested parties and personnel.
Organisations should determine the terms of their agreements with other parties based on the organisation’s information security requirements, taking into account the type of information to be handled, its classification level, its intended use, and permitted access by the other party.
A confidentiality or non-disclosure agreement (NDA) is a legal document that prevents the release of trade secrets and other confidential information.
Confidential information may include the company’s business plan, financial data, customer lists and other proprietary information. These agreements can be used in a wide range of situations, including:
Partnerships often include confidentiality clauses as part of their partnership agreement so each partner agrees not to disclose any confidential information obtained during their partnership.
Confidentiality agreements are entered into by individuals and businesses alike. They have many purposes, such as:
Controls are classified using attributes. Using these, you can quickly match your control selection with commonly used industry terms and specifications.
Attributes for control 6.5 are:
Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
---|---|---|---|---|
#Preventive | #Confidentiality #Integrity #Availability | #Protect | #Asset Management #Information Protection #Physical Security #System and Network Security | #Protection |
Control 6.6 should be implemented in order to ensure the security of information when personnel, partners, and vendors work with an organisation.
This control is intended to safeguard the organisation’s information and to inform signatories of their responsibility to handle and protect information in a responsible and authorised way. It is also used as a tool for protecting intellectual property rights, such as patents, trademarks, trade secrets and copyrights.
It is important for employers to have a non-disclosure agreement in place before disclosing any confidential information to an employee or contractor. The agreement will set out how closely the individual should guard the information that they are exposed to and how long the period of confidentiality will run for after employment has ended.
Control 6.6 aims to protect the intellectual property and business interests of your organisation by preventing the disclosure of sensitive information to third parties.It refers to a legal contract or an arrangement between your organisation and its employees, partners, contractors, vendors and other third parties that governs the use of confidential information.
Confidential information is any information that has not been made available to the public or other companies in a similar industry. Examples include trade secrets, customer lists, formulas and business plans.
The control should be implemented when assessing whether a third party will have access to sensitive personal data, and whether steps need to be taken to ensure that they do not retain and continue to access the organisation’s sensitive personal data after their departure.
When an organisation determines that a third party is exiting the business relationship, and there is a risk that sensitive organisational or company data may be disclosed as a result, then the organisation must take reasonable steps before that third party leaves, or as soon as possible after they have left, to prevent such disclosure.
Peter Risdon CISO, Viital Updated for ISO 27001 2022I certainly would recommend ISMS.online, it makes setting up and managing your ISMS as easy as it can get.
Control 6.6 means that the parties to the agreement do not disclose confidential information covered by the agreement. The information may be disclosed only with written consent from the organisation or in accordance with a court order. This is important to protect sensitive information about business practices, intellectual property and research and development.
To meet the requirements of control 6.6, a “confidentiality” and “non-disclosure” agreement/ contract need to be carefully drafted so that it covers all trade secrets and sensitive data/information aspects of the organisation’s dealings and transactions. It is important that both parties understand their obligations under the contract and duties during and after the end of the business relationship.
A confidentiality clause may also be included in other contracts that extend beyond the end of the employee’s employment or third parties engagement.
It is imperative that the person who is leaving a business relationship or changing jobs has his or her security responsibilities and duties passed to a new person, and all access credentials deleted and a new one created.
The following elements should be considered when identifying confidentiality and non-disclosure agreements:
The organisation should ensure that confidentiality and non-disclosure agreements are in compliance with the laws of the jurisdiction where they apply.
A review of confidentiality and nondisclosure agreements should occur periodically and whenever changes impact their requirements.
More information on how this works is available in the ISO 27002:2022 standard document.
Book a tailored hands-on session
based on your needs and goals
Book your demo
Get 81% of the work done for you and get certified faster with ISMS.online
Control 6.6 in the new ISO 27002:2022 is not a new control, rather, it is a modified version of control 13.2.4 in ISO 27002:2013.
While these two controls contain similar features, they do differ slightly. For example, while the implementation guidance in both versions are similar, they are not identical.
The first part of the implementation guidance in control 13.2.4 in ISO 27002:2013 states that:
“Confidentiality or non-disclosure agreements should address the requirement to protect confidential information using legally enforceable terms. Confidentiality or non-disclosure agreements are applicable to external parties or employees of the organisation. Elements should be selected or added in consideration of the type of the other party and its permissible access or handling of confidential information.”
The same section in control 6.6 of ISO 27002:2022 states that:
“Confidentiality or non-disclosure agreements should address the requirement to protect confidential information using legally enforceable terms. Confidentiality or non-disclosure agreements are applicable to interested parties and personnel of the organisation.
Based on an organisation’s information security requirements, the terms in the agreements should be determined by taking into consideration the type of information that will be handled, its classification level, its use and the permissible access by the other party.”
Both controls, though differing in semantic meaning, have similar structure and function in their respective contexts. However, control 6.6 uses a more simplified and user-friendly language so that the content and context are easier to understand. This means those who will be using the standard can relate to its content more easily.
In addition, the 2022 version of ISO 27002 includes statements of purpose and attributes tables for each control, which help users understand and implement the controls more effectively. These two sections are not available in the 2013 edition.
According to control 6.6 of the ISO 27002 standard, the human resources department usually manages the drafting and implementation of the confidentiality or non-disclosure agreement in most organisations, which involves collaborating with the supervising manager or department of the concerned third party.
The supervising manager could be the Information Security Officer, sales or production manager.
These departments and heads are also responsible for ensuring that any third party vendors used by the organisation have adequate security measures in place to protect confidential information from unauthorised disclosure or use.
They should make sure that all employees sign a confidentiality agreement when they start working for the company.
In most cases (depending on how large the organisation is), confidentiality or non-disclosure agreements are signed by all employees who have access to confidential information.
This typically includes any employee who works in sales, marketing, customer service or other departments where they might come into contact with confidential information regarding clients, customers or vendors.
In some cases, even if there isn’t an actual written agreement between two parties, organisations should have policies in place requiring employees to sign a confidentiality agreement before they’re allowed access to sensitive information about clients or vendors.
Some risks associated with not having an adequate confidentiality agreement policy in place include: