Control Definition
Confidentiality and non-disclosure requirements that reflect the organization's actual needs for protecting information must be identified, documented in agreements, signed by personnel and other relevant interested parties, and reviewed at regular intervals and whenever changes make a review necessary.
Control Objective
To maintain the confidentiality of information that is accessible to personnel and external parties, by making protection obligations legally explicit and keeping them current.
What This Really Means
Your access controls stop at the edge of your systems, but your information does not. It moves into a contractor's memory, a prospect's inbox during a sales deep-dive, a due-diligence data room, the head of a departing engineer. A confidentiality agreement is the control that travels with the information after technology loses sight of it — a legal obligation attached to the person instead of the system.
A.6.6 asks for more than owning an NDA template. The control has four verbs: identify what confidentiality terms your information actually needs, document those terms in agreements, get them signed by employees and the external parties who matter, and review them regularly so they keep matching your business and the law. A template drafted years ago that never mentions personal data, cloud collaboration, or your current product line fails the first verb no matter how many people signed it.
In practice this lands as a small family of documents rather than one. Employees usually carry a confidentiality clause inside the employment contract (overlapping with A.6.2), sometimes reinforced by a standalone agreement for high-sensitivity roles. Third parties get an NDA: one-way when only you disclose, mutual when both sides share. Whatever the format, strong terms define what counts as confidential information, what the recipient may and may not do with it, how long the duty lasts — including survival after termination — what must be returned or destroyed when the relationship ends, who owns the material, which disclosures are permitted (legal compulsion, professional advisers), and what happens on breach.
What auditors treat as the heart of the control is traceability and currency: pick any person or organization with access to sensitive information and produce their signed, current agreement within minutes — and show evidence that the templates themselves were reviewed when the law or the business changed.
Why It Matters
Most information loss runs through relationships, not exploits: the salesperson who joins a competitor with the pipeline in their head, the agency that reuses your campaign data, the prospect who saw your pricing logic in a proof of concept. Technical controls end where the relationship begins. Past that point, what you can enforce is what was signed.
There is also an evidentiary angle that surprises many leadership teams: in most jurisdictions, legal protection for trade secrets and confidential business information depends on showing you took reasonable steps to keep the material secret — and signed agreements are exhibit one. Where agreements are missing, generic, or stale, the consequences follow a pattern:
- •No recourse when people leave – without written obligations that survive exit, pursuing a former employee who took client lists or designs is slow, expensive, and frequently futile
- •Trade secret protection weakened – courts ask what steps you took to keep the information secret; unsigned or boilerplate agreements undermine the claim before the facts are even heard
- •Third parties with no accountability – vendors, prospects, and partners who saw sensitive material with nothing signed owe you no contractual duty to protect it
- •Deals stalled at due diligence – enterprise customers and investors sample agreement discipline, and one unsigned counterparty surfaces at the worst commercial moment
- •A people-control nonconformity – certification auditors sample recent joiners, contractors, and suppliers for signed terms; a single gap in the sample becomes a finding
Regional Compliance Context
India. Confidentiality obligations are generally enforceable under Indian contract law, but post-termination non-compete restraints largely are not — so never rely on a non-compete clause to do an NDA's job; the confidentiality terms must stand on their own. And under the DPDP Act 2023, an NDA is not a substitute for data protection obligations: sharing personal data with a vendor still requires the processing terms expected between a data fiduciary and its processors. Treat the NDA as the confidentiality layer, not the privacy contract.
Gulf. Saudi Arabia's PDPL and the UAE federal PDPL regulate disclosure of personal data by statute regardless of what private agreements say. Confidentiality agreements with regional partners and suppliers supplement controller-processor terms — they never replace them.
Implementation Guidance
Map Where Confidentiality Requirements Arise
Inventory the relationships and information flows that need legal protection: employees and contractors, suppliers and their staff, sales prospects in technical evaluations, due-diligence counterparties, advisors, and interview candidates exposed to non-public material. Tie each to the information types involved — trade secrets, source code, client data, personal data, financials — using your classification scheme as the reference.
Define the Standard Terms Every Agreement Must Contain
With legal counsel, fix the non-negotiable clauses: a clear definition of confidential information, permitted use and permitted disclosures (legal compulsion, professional advisers), duration including post-termination survival, return or destruction obligations at the end of the relationship, ownership of the information and derived work, breach notification duties, and governing law. This documented term set is the "identified and documented" evidence the control asks for.
Build a Small, Version-Controlled Template Library
Maintain three or four templates instead of one: an employee confidentiality clause for employment contracts, a one-way NDA for when you disclose, a mutual NDA for two-way exchanges, and a short-form version counterparties can sign quickly for lower-stakes situations. Version-control each template and record its last legal review date.
Wire Signature Into Lifecycle Workflows
Make signing automatic at the moments information starts to flow: HR onboarding before system access is provisioned, procurement onboarding before any data is shared with a supplier, and sales engagements before technical deep-dives or pilots. Use an e-signature platform so execution takes minutes and the record is created by default.
Track Every Signed Agreement in a Register
Maintain a central register — a contract management system, or a structured repository plus a tracking sheet — recording who signed, which template version, the date, the counterparty entity, the duration, and any negotiated deviations. The register is what lets you answer an auditor's sampling question in minutes instead of days.
Review Templates at Planned Intervals and on Triggers
Schedule an annual legal review of all templates, plus trigger-based reviews when privacy or employment law changes, when you enter new markets or business lines, and after any disclosure incident. Record the outcome of every review even when the decision is "no change" — the review trail is evidence in its own right.
Operationalize Exit and Breach Handling
Add a confidentiality reminder to the leaver checklist so departing staff acknowledge their surviving obligations (linking to A.6.5), and define the playbook for suspected breaches: who escalates to legal, how evidence is preserved, and how the event enters your security event reporting channel under A.6.8.
Audit Evidence
During your ISO 27001 certification audit, auditors will expect to see the following evidence to demonstrate compliance with A.6.6:
Documentation
- Confidentiality and NDA templates (employee clause, one-way, mutual) with version history and legal review records
- Register of signed agreements mapping every employee, contractor, and relevant third party to a template version and signature date
- Sampled signed agreements retrievable from onboarding files, vendor folders, or the e-signature platform
- Review records showing annual or trigger-based template reviews and what changed as a result
- Procedure defining which relationship types require which agreement before information is shared
Interviews
- HR manager on how confidentiality terms are executed at onboarding and whether signature gates system access
- Procurement or vendor manager on when NDAs are required before sharing information with suppliers and prospects
- Legal counsel or template owner on the review cycle and what prompted the most recent template change
Observations
- Auditor picks a recent joiner and a recently onboarded supplier and traces each to a signed, current agreement
- E-signature platform or contract repository demonstrated live — searchable, dated, complete
- Onboarding workflow showing the signature step positioned before access provisioning
Practitioner Insights
Auditors rarely ask whether an NDA template exists — they pick the contractor who joined three months ago, or the supplier onboarded in a hurry last quarter, and ask to see the signed agreement. Across audits, the gaps are always in the long tail: freelancers, due-diligence counterparties, the pilot customer who saw your architecture diagrams. Treat the agreement register like an access review — periodically sample everyone with access to sensitive information and confirm a current, signed agreement exists for each. If you cannot trace from a name to signed terms in a few minutes, you are carrying a finding that simply has not been written up yet.
The startup pattern I see constantly: a confidentiality clause sits in the offer letter, so the team considers the control done — meanwhile product demos, advisor conversations, and freelance engagements run with nothing signed. The fix is not more paperwork; it is wiring signature into the moments information starts to flow — vendor onboarding, contractor engagement, the sales deep-dive. Keep a one-page mutual NDA a counterparty can sign the same day, because a perfect twelve-page template that sits unsigned for three weeks protects nothing.
Common Challenges & Solutions
Challenge
Agreements were signed at some point, but nobody can locate them when an auditor — or a lawyer — asks.
Solution
Centralize execution and storage in one e-signature platform or contract repository, and backfill the register from HR and procurement files. Going forward, make signature a workflow gate: no system access and no data sharing until the agreement is filed. Retrieval time is the real test — aim for minutes.
Challenge
One generic template is used for every situation — employee, vendor, prospect — and it fits none of them.
Solution
Build a small library: employee clause, one-way NDA, mutual NDA, and a short-form version for low-stakes exchanges. Add a half-page decision guide so non-lawyers pick the right one. Fit matters legally — terms that misdescribe the relationship are exactly what opposing counsel attacks first.
Challenge
Templates have not been reviewed in years and predate current privacy law and the current business model.
Solution
Schedule an annual legal review with a standing trigger list: new privacy legislation, new markets, new information types, any disclosure incident. Record outcomes even when nothing changes. The review trail is precisely what the "regularly reviewed" requirement sends auditors looking for.
Challenge
Counterparties refuse your template or insist on their own paper, and deals queue up behind legal review.
Solution
Accept counterparty NDAs after a checklist review against your minimum terms — definition of confidential information, duration, return or destruction, permitted disclosures — instead of forcing your template every time. Pre-agree fallback positions with counsel so negotiation does not restart with each deal. Log accepted deviations in the register.
Challenge
People treat a signed NDA as permission to share freely — the agreement becomes a substitute for judgment.
Solution
Train the distinction: an NDA creates recourse after a leak; it does not prevent one. Disclosure should still follow need-to-know and classification handling rules, with the agreement as the legal backstop. Pair every NDA execution with a one-line reminder of what may actually be shared in that engagement.
