Annex A 6.6: Confidentiality Or Non Disclosure Agreements

To meet the annex a 6.6: confidentiality or non disclosure agreements requirement, you must ensure confidentiality/NDA obligations exist, are signed before access to sensitive information is granted, and are enforceable across employees and relevant third parties. Operationalize it by standardizing templates, embedding NDAs into onboarding and third-party intake, and retaining evidence that agreements cover information security expectations and lifecycle events. ¹

Key takeaways:

• You need signed confidentiality/NDA terms before sharing non-public information or granting system/data access.
• Scope must cover employees and third parties with access to confidential information, including post-engagement obligations.
• Audits are won on evidence: templates, signed agreements, access gating, exceptions, and periodic attestations. ¹

Annex A 6.6 focuses on a basic control with outsized audit impact: written confidentiality commitments that match how your business actually shares information. If your organization uses contractors, outsourcers, cloud providers, implementation partners, or even visiting customers in secure areas, you are already exchanging sensitive information. Annex A 6.6 expects you to govern those exchanges with confidentiality or non-disclosure agreements (NDAs) that are appropriate to the information, the relationship, and the risk. ¹

For a Compliance Officer, CCO, or GRC lead, the fastest path is to treat confidentiality terms as an access prerequisite and a third-party lifecycle control. That means: (1) define what “confidential” includes in your context, (2) standardize contract language, (3) require signature before access, (4) integrate the check into HR onboarding and third-party intake, and (5) retain evidence in a system that can answer auditor questions quickly. If you operate Daydream for third-party risk and control evidence, map Annex A 6.6 to a documented control and schedule recurring evidence capture so you are not rebuilding the story during audits. ¹

Regulatory text

Control reference: ISO/IEC 27001:2022 Annex A control 6.6 implementation expectation (Confidentiality Or Non Disclosure Agreements). ¹

Operator interpretation of the text you were given: Annex A 6.6 expects your ISMS to require confidentiality or non-disclosure agreements where needed, and to be able to show they exist and are used in practice. Your job is to make confidentiality terms (a) consistently applied to the right populations, (b) aligned to your information classification and access model, and (c) provable with retained evidence. ¹

Plain-English interpretation (what the requirement means)

You must have written confidentiality commitments in place for people and organizations that can see or handle your non-public information. Those commitments should:

• Define what information is covered.
• State how it can and cannot be used or shared.
• Require protection and appropriate handling.
• Survive the end of employment/engagement where appropriate.
• Be executed (signed/accepted) before sensitive access happens.
• Be discoverable during an audit without a scramble. ¹

Who it applies to

Entity scope: Any organization implementing ISO/IEC 27001:2022 controls within its ISMS scope, including service organizations that process customer data or operate customer-facing systems. ¹

Operational scope (typical populations):

• Employees (including interns and temporary staff).
• Contractors, consultants, and agents.
• Third-party service providers (including cloud/SaaS, managed services, support providers).
• Subprocessors engaged by your third parties (where your contracting model supports flow-down).
• Visitors with potential exposure to confidential discussions, screens, or documents (handled via visitor NDAs or visitor confidentiality terms). ¹

Common trigger events:

• New hire onboarding.
• Contractor onboarding.
• New third-party procurement or renewal.
• New project involving data sharing (integration, support, incident response, analytics).
• M&A diligence where sensitive documents are shared.
• Facility tours or on-site work in secure areas. ¹

What you actually need to do (step-by-step)

1) Define the confidentiality boundary you will enforce

Create a short “Confidential Information Definition” that matches your business reality:

• Include customer data, proprietary code, security artifacts (diagrams, pentest reports), credentials, pricing, and non-public financials.
• Tie it to your information classification scheme (even a simple Public / Internal / Confidential / Restricted model).
• State exclusions (publicly known information, independently developed info, lawful disclosure).
  This definition becomes the anchor for templates and reviews. ¹

2) Standardize approved NDA/confidentiality templates

Maintain templates owned by Legal with GRC input:

• Employee confidentiality/IP agreement (often embedded in employment terms).
• Contractor/consultant NDA (short-form, fast signature).
• Mutual NDA (for partnerships and pre-sales).
• Third-party services agreement clause set (confidentiality clause + security schedule reference).
• Visitor NDA or visitor confidentiality notice (lightweight, operationally realistic). ¹

Practical drafting checks (what auditors and security reviewers look for):

• “Purpose limitation” (use only for providing services / evaluating relationship).
• “Need-to-know” disclosure and accountability.
• Minimum protection standard (e.g., “at least reasonable care”); align with your security policy references.
• Breach notification expectations (if you include it here, keep consistent with your incident process).
• Return/destruction of information at end of engagement.
• Survival clause (confidentiality continues after termination for a defined period or as allowed by counsel).
• Right to injunctive relief (common legal posture; confirm with counsel).
  Keep the language consistent across populations to avoid control gaps. ¹

3) Gate access on signature (make it operational, not aspirational)

Set a clear operating rule: no access and no data sharing until the NDA/confidentiality terms are executed.

• HR: onboarding checklist requires signed confidentiality agreement before account provisioning.
• IT: joiner workflow checks HR status before provisioning sensitive group membership.
• Procurement: third-party intake requires executed MSA/NDA before sending restricted docs or granting support portal access.
• Sales/BD: mutual NDA is required before sharing non-public architecture/security materials. ¹

This is where most programs fail: they have templates, but access gets granted anyway “to keep things moving.” Fix the workflow so exceptions are visible and approved.

4) Build a coverage map (who is covered, by what instrument)

Create a simple matrix and keep it current:

Population	Agreement type	System of record	Access gating control	Owner
Employees	Employment confidentiality terms	HRIS / e-sign	HR onboarding gate	HR
Contractors	Contractor NDA	VMS / e-sign	Ticketing gate	HR + IT
Third parties	MSA confidentiality clause / NDA	CLM	Procurement gate	Procurement + Legal
Visitors	Visitor NDA / notice	Visitor log	Reception process	Facilities

Auditors respond well to this because it proves you understand scope and can evidence coverage quickly. ¹

5) Handle exceptions with discipline

You will have edge cases: emergency support, regulator requests, or legacy suppliers. Create an exception path:

• Document why signature couldn’t happen first.
• Define compensating controls (limited access, read-only links, time-bound credentials).
• Require retrospective execution where possible.
• Track exceptions to closure.
  Store exceptions with the same rigor as the agreements. ¹

6) Retain evidence in a way you can actually produce

A control that cannot be evidenced is treated as not operating. Implement a recurring evidence capture routine aligned to your audit calendar:

• Quarterly pull of new hires vs. signed confidentiality agreements.
• Sample of third-party contracts executed during the period with confidentiality terms.
• Evidence of access gating (tickets, workflow approvals, screenshots of system rules). Daydream can map Annex A 6.6 to a documented control operation and schedule recurring evidence requests to HR, Legal, and Procurement so you collect proof continuously rather than at audit time. ¹

Required evidence and artifacts to retain

Keep artifacts that prove design and operation:

Design evidence

• Policy or standard stating confidentiality/NDA requirement and when it applies.
• Approved NDA/confidentiality templates and clause library.
• Procedure/runbook for onboarding and third-party intake gates.
• Coverage map (matrix) and RACI. ¹

Operational evidence

• Executed/signed agreements (employees, contractors, third parties), stored in HRIS/CLM/e-sign with timestamps.
• Access provisioning records showing gating (tickets, approvals, identity governance records).
• Visitor logs with NDA acknowledgement where used.
• Exception register with approvals and closure evidence.
• Training/attestation records if confidentiality is reaffirmed through periodic acknowledgements. ¹

Common exam/audit questions and hangups

Expect auditors to push on these points:

• “Show me the NDA or confidentiality terms for a sample of new hires and contractors.”
• “How do you ensure third parties sign before receiving customer data or access?”
• “Where is the system of record, and who can retrieve agreements?”
• “Do confidentiality obligations survive termination? Show the clause.”
• “How do you handle emergency access or urgent support before paperwork is complete?”
• “How do you cover subprocessors or downstream parties, contractually?” ¹

Hangups usually appear when Legal owns contracts, HR owns onboarding, and Security owns access, but no one owns the end-to-end control.

Frequent implementation mistakes and how to avoid them

1. Templates exist, but no gating exists.
   Fix: make signature a workflow prerequisite for access and data sharing.

2. Coverage gaps for non-employees.
   Fix: explicitly include contractors, consultants, and temporary staff in the policy and intake workflows.

3. Agreements are scattered across inboxes.
   Fix: designate a system of record (CLM/HRIS/e-sign repository) and enforce storage rules.

4. NDAs don’t match information classification.
   Fix: define “confidential information” in a way that aligns to your classification and actual data types.

5. No evidence of operation.
   Fix: schedule recurring evidence capture and maintain a sample set aligned to audit periods; Daydream helps by tying Annex A 6.6 to evidence tasks and reminders. ¹

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement. Practically, Annex A 6.6 reduces risk in three ways:

• Limits unauthorized disclosure and misuse by setting contractual expectations.
• Supports legal remedies if confidential information is misused.
• Creates a clear audit trail that information sharing is controlled and intentional. ¹

Practical 30/60/90-day execution plan

First 30 days (stabilize and stop the bleeding)

• Inventory where NDAs/confidentiality terms exist today (HR, Legal/CLM, procurement drives).
• Pick the systems of record for employees/contractors and third parties.
• Publish a short standard: “No NDA/no access/no data sharing,” with exception handling.
• Identify top high-risk third parties and confirm executed confidentiality terms exist. ¹

Days 31–60 (standardize and integrate)

• Finalize templates (employee, contractor, mutual NDA, services clauses) with Legal.
• Implement onboarding/procurement gates in HR and procurement workflows.
• Build the coverage map and RACI; assign owners for evidence pulls.
• Create the exception register and approval flow. ¹

Days 61–90 (prove operation and make it repeatable)

• Run an internal sample test: pick recent joiners and new third parties; confirm signatures pre-date access grants.
• Collect and store evidence packets (signed agreements + tickets/screenshots) in an audit-ready folder or GRC repository.
• Add recurring evidence capture tasks in Daydream so HR/Legal/Procurement deliver artifacts on a predictable cadence.
• Close gaps: retroactive signatures where feasible, or document exceptions with compensating controls. ¹

Frequently Asked Questions

Do we need an NDA for every third party?

You need confidentiality obligations for any third party that may access non-public information within your ISO scope. Sometimes that is a standalone NDA; other times it is a confidentiality clause in the master services agreement. ¹

Can confidentiality be handled inside an employment agreement instead of a separate NDA?

Yes, if the employment terms clearly impose confidentiality obligations that cover the information types you protect and survive termination where appropriate. Keep it retrievable and link it to onboarding evidence. ¹

What’s the minimum evidence an auditor will accept?

Expect to show an approved template, a population-to-agreement coverage map, and executed agreements for a sample of in-scope people and third parties. Also show that access is gated or exceptions are controlled. ¹

How do we handle urgent support where a third party needs access immediately?

Use a documented exception with time-bound, least-privilege access and require retrospective signature as soon as practicable. Record who approved the exception and when access was removed or normalized. ¹

Do visitor NDAs really matter for ISO 27001?

If visitors can overhear sensitive discussions, view screens, or access secure areas, visitor confidentiality terms are a reasonable control. Keep the process lightweight so facilities staff can execute it consistently. ¹

How should we operationalize this across HR, Legal, and Procurement without constant chasing?

Assign a single control owner in GRC, define systems of record, and automate evidence collection. Daydream helps by mapping Annex A 6.6 to a control procedure and generating recurring evidence requests with audit-ready packaging. ¹

Footnotes

1. ISO/IEC 27001 overview; ISMS.online Annex A control index