A.6.2 — Terms and Conditions of Employment

A security incident occurs. The investigation reveals that an employee shared customer data with a personal cloud account. When HR reviews the employment contract, there is no mention of data handling, acceptable use or consequences for policy breaches. The employee’s defense: “Nobody told me.” A.6.2 closes this gap.

The control requires that employment agreements — whether for permanent staff, temporary workers or contractors — explicitly state the person’s information-security responsibilities and the organization’s expectations. This includes confidentiality, acceptable use, incident reporting and consequences for violations.

What does the standard require?

The core requirements break down as follows:

Contractual security obligations. Every employment agreement must include the person’s information-security responsibilities — what they must do and what they must refrain from doing.
Confidentiality. Contracts must address the duty to protect confidential information, including obligations that persist after the employment relationship ends.
Acceptable use. The agreement should reference the organization’s acceptable-use policies for information assets, email, internet and mobile devices.
Incident reporting. The contract should oblige the person to report security events and suspected weaknesses promptly.
Consequences. The agreement must state the disciplinary or legal consequences of violating security policies.
Updates. When policies or legal requirements change, affected contracts should be updated or supplemented accordingly.

In practice

Create a standard IS annex for employment contracts. A one-to-two-page annex listing confidentiality duties, acceptable use, incident-reporting obligations and post-employment restrictions. HR attaches it to every new contract and every renewal.

Maintain a signed-acknowledgement register. Track who has signed which version of the IS policy acknowledgement. When policies are updated, trigger a re-acknowledgement cycle and follow up on outstanding signatures.

Cover all personnel types. Permanent employees, contractors, temporary workers, interns — each needs an appropriate agreement. For contractors, the relevant clauses typically go into the service agreement or a separate NDA.

Align with the policy lifecycle. When the ISMS policy set is revised, review the contract templates. If a new policy introduces obligations that are missing from current contracts, issue an addendum or re-acknowledgement.

Typical audit evidence

Auditors typically expect the following evidence for A.6.2:

Contract template with IS clauses — the current standard employment contract or annex (link to HR Security Policy in the Starter Kit)
Signed acknowledgements — evidence that each employee has accepted their IS obligations
Contractor agreements — service contracts or NDAs with equivalent security clauses
Re-acknowledgement records — proof that acknowledgements were renewed after policy changes
Template version history — evidence that contract templates are reviewed and updated

KPI

% of employment contracts containing current IS responsibility clauses

Measured as a percentage: how many active employment relationships (employees, contractors, temporary staff) have a signed agreement referencing the current version of your IS policies? Target: 100%. A common starting point is 70–85%, with the gap typically sitting in contractor agreements and legacy contracts.

Supplementary KPIs:

% of employees with a signed policy acknowledgement dated within the last 12 months
Average time to issue an addendum after a major policy change
Number of active contracts without any IS clause

BSI IT-Grundschutz

A.6.2 maps primarily to BSI ORP.2 (Personnel):

ORP.2.A1 (Regulated responsibilities and duties) — requires documented assignment of responsibilities, including information-security duties.
ORP.2.A4 (Qualification and training of employees) — requires contractual mention of training obligations.
ORP.2.A5 (Obligation of employees to comply with policies) — explicitly requires a signed obligation to follow information-security rules.
ORP.2.A14 (Personnel measures in the event of changes) — requires that contracts address what happens when a person changes roles or leaves.

A.6.2 sits between screening and awareness in the people-security lifecycle:

A.6.1 — Screening: Before the contract is signed, verify the candidate’s suitability.
A.6.3 — Information security awareness, education and training: After signing, ensure the person actually understands what they have committed to.
A.6.4 — Disciplinary process: The consequences referenced in the contract are enforced through a formal disciplinary process.

Sources

ISO/IEC 27001:2022 Annex A, Control A.6.2 — Terms and conditions of employment
ISO/IEC 27002:2022 Section 6.2 — Implementation guidance for terms and conditions of employment
BSI IT-Grundschutz, ORP.2 — Personnel

Frequently asked questions

What security topics should employment contracts cover?

At a minimum: confidentiality obligations, acceptable use of assets, incident-reporting duties, consequences for policy violations, obligations that survive termination (e.g. NDA clauses) and the employee's responsibility to follow all ISMS policies.

Do contractor agreements need the same clauses?

Yes. A.6.2 applies to all personnel, including contractors, consultants and agency workers. The vehicle may differ (service agreement vs. employment contract), but the security obligations must be equivalent.

How often should contracts be reviewed for current IS clauses?

Whenever the ISMS policy landscape changes significantly — for example, after a major policy revision, a regulatory change or an organizational restructuring. Many organizations combine this review with the annual ISMS management review.

Responsible	HR Manager
Accountable	HR Manager
Consulted	Data Protection Officer, Information Security Officer / (C)ISO, Legal Counsel
Informed	All Employees