Control Definition
Employment contracts and related agreements must spell out information security responsibilities on both sides—what the organization expects of the individual, and what the organization itself is responsible for.
Control Objective
To ensure that employees understand and formally agree to their information security responsibilities before they begin work, creating legally enforceable obligations and reducing ambiguity about acceptable behavior.
What This Really Means
Terms and conditions of employment means including information security clauses in employment contracts, offer letters, and agreements that employees sign when they join. These clauses spell out what employees must and must not do regarding data protection, confidentiality, acceptable use, and intellectual property.
Think of it like a rental agreement that says "no smoking, no pets, no subletting"—it sets clear expectations and consequences. Your employment contract should similarly say: "You must protect company data, follow security policies, not share credentials, return all devices upon termination, and acknowledge that violating these terms may result in disciplinary action including termination."
This control requires you to embed security responsibilities into the legal employment relationship, not just in standalone policies employees might ignore. It covers confidentiality agreements (NDAs), intellectual property assignment (code/inventions belong to the company), acceptable use acknowledgment, obligation to report security incidents, and post-employment obligations (can't take customer lists to your next job). The contract creates accountability and legal recourse if employees mishandle information.
Why It Matters
Without formal contractual obligations, employees may claim "I didn't know I couldn't do that" when they leak data, steal IP, or violate policies. A well-drafted employment agreement eliminates that defense and provides legal grounds for enforcement.
Without information security terms in employment contracts, organizations face:
- •No Legal Recourse for Policy Violations – If security obligations aren't in the contract, you can't terminate employees for violating them without risking wrongful termination lawsuits
- •Intellectual Property Disputes – Employees claim code they wrote or inventions they created belong to them, not the company, leading to costly litigation (happens frequently in India)
- •Data Theft and Competitive Harm – Departing employees take customer lists, source code, or business plans to competitors; without contractual restrictions, you can't stop them
- •Ambiguity About Responsibilities – Employees claim they weren't told they had to encrypt laptops, report phishing, or avoid personal use of company systems
Indian employment law is employee-friendly—you need well-drafted contracts that comply with local labor laws while protecting organizational interests. DPDPA also makes organizations liable for employee mishandling of personal data, making contractual obligations critical.
Implementation Guidance
Draft or Update Employment Contract Template with Security Clauses
Work with legal counsel to create contract language covering: (1) Confidentiality obligations during and post-employment. (2) Intellectual property assignment (all work belongs to company). (3) Acceptable use policy acknowledgment. (4) Obligation to protect sensitive data and follow security policies. (5) Prohibition on unauthorized disclosure. (6) Duty to report security incidents. (7) Return of company property upon termination. Use clear, enforceable language compliant with Indian Contract Act and state-specific labor laws.
Include Non-Disclosure Agreement (NDA) Provisions
Embed NDA clauses requiring employees to keep confidential information secret during employment and for specified period after (typically 2-5 years post-termination). Define what's confidential: customer data, source code, business strategies, financial information, security procedures. Specify exceptions (publicly available information, legally compelled disclosure). Make breach of NDA grounds for immediate termination and legal action.
Add Intellectual Property Assignment Clauses
Include language: "All inventions, code, documentation, designs, and creative works developed using company resources or during working hours are the exclusive property of the Company." This prevents employees from claiming ownership of software they wrote, databases they designed, or processes they created. Critical for IT companies and startups. Comply with Copyright Act 1957 Section 17 (work-for-hire doctrine).
Reference Security Policies and Require Acknowledgment
Contract should state: "Employee agrees to comply with all company policies including Information Security Policy, Acceptable Use Policy, and BYOD Policy as amended from time to time." Require separate signed acknowledgment during onboarding that employee has read and understands these policies. Retain acknowledgment forms in personnel files.
Define Post-Employment Obligations and Restrictions
Specify what happens after employment ends: (1) Return all company property (laptops, phones, access cards, documents) immediately. (2) Delete all company data from personal devices. (3) Confidentiality obligations continue for X years. (4) Non-compete clauses if applicable (must be reasonable in scope/duration to be enforceable in India). (5) Non-solicitation (can't recruit colleagues or poach clients). Document return of property in exit checklist.
Specify Monitoring and Privacy Disclosures
Include clause: "Company reserves the right to monitor all use of company systems, networks, email, and internet. Employees have no expectation of privacy when using company resources." This consent is legally required before monitoring employee communications. Also disclose: "Company may conduct searches of company property including desks, lockers, and bags on company premises."
Obtain Legal Review and Employee Signatures
Have employment contracts reviewed by legal counsel specializing in Indian labor law to ensure enforceability and compliance with the applicable state Shops and Establishments Act, the consolidated central labor codes, and state-specific laws. Obtain employee signature on contract during onboarding before granting system access. Provide employee with signed copy. Maintain original in secure HR files.
Audit Evidence
During your ISO 27001 certification audit, auditors will expect to see the following evidence to demonstrate compliance with A.6.2:
Documentation
- Employment contract template showing information security clauses and NDA provisions
- Signed employment contracts for all employees in personnel files
- Policy acknowledgment forms signed by employees during onboarding
- Legal review documentation confirming contract compliance with local laws
- Exit checklist documenting return of company property and data deletion
Interviews
- HR team about contract review processes and ensuring all employees sign agreements
- Legal counsel about clause enforceability and compliance with Indian labor laws
- Random employees to verify they recall signing contract and understanding obligations
Observations
- Review of recent hire files showing signed contracts before system access granted
- Examination of contract language to verify security clauses are present and clear
- Check that contract references current versions of security policies
- Verification that departing employees complete exit checklist and return property
Practitioner Insights
I've investigated multiple cases where employees stole customer databases or source code when leaving. In every case where we had strong employment contracts with IP assignment and NDA clauses, we got court injunctions and settlements. In cases with weak contracts (or no contracts at all), we had no legal recourse—the employees just claimed "You never said I couldn't." Always include clear, specific security obligations in employment agreements.
Many startups use boilerplate contract templates downloaded from the internet that aren't enforceable under Indian law. Non-compete clauses, for example, are generally unenforceable in India except in narrow circumstances (sale of business, partnership dissolution). Get proper legal review—contracts must comply with Indian Contract Act, labor laws, and recent Supreme Court precedents. Don't rely on copy-paste templates.
Common Challenges & Solutions
Challenge
Existing employees were hired before security clauses were added to contracts—how do we apply obligations retroactively?
Solution
Issue addendum to employment contract or "Policy Acknowledgment Agreement" requiring all employees to sign updated terms. Frame as: "As part of our ISO 27001 certification, all employees must acknowledge security responsibilities." Offer small incentive if needed (training credit, certificate). For employees who refuse, consult legal counsel—may need to make signing a condition of continued employment.
Challenge
Employees claim they signed the contract without reading it or understanding the security obligations.
Solution
Implement proper onboarding: HR should walk new employees through key contract clauses, highlight security sections, and answer questions before signature. Provide contract in advance (don't surprise people on day one). Require initials on each page. Conduct security orientation training on first day referencing contract obligations. This demonstrates you made good-faith effort to ensure understanding.
Challenge
Departing employees refuse to return laptops, phones, or delete company data from personal devices.
Solution
Contract should state: "Failure to return company property will result in final salary withholding and legal action." Implement MDM (Mobile Device Management) to remotely wipe company data. Disable accounts immediately upon resignation notice. Require property return before issuing relieving letter and full-and-final settlement. For high-risk departures (admin access, sensitive data), escort employee out and collect devices immediately.
Challenge
We want to include non-compete clauses but heard they're not enforceable in India.
Solution
Broad non-competes are unenforceable (Indian Contract Act Section 27 prohibits restraint of trade). However, you CAN enforce: (1) Confidentiality obligations (can't share trade secrets). (2) Non-solicitation (can't poach clients/employees for 1-2 years). (3) IP protection (can't use company code at new job). Focus on these enforceable protections. For senior executives, garden leave (paid notice period without work) can keep them out of market temporarily.
Challenge
Contractors and freelancers work on sensitive projects—do they need employment contracts with security clauses?
Solution
They need equivalent provisions in consulting agreements or statements of work (SOW). Include: (1) NDA covering project data. (2) IP assignment (deliverables belong to company). (3) Security obligations (follow company policies, protect credentials). (4) Return of materials upon project completion. (5) Audit rights. Treat contractors with same rigor as employees for contractual security obligations.
