Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Annex A · People Control

A.6.6 — Confidentiality or Non-Disclosure Agreements

Updated on 4 min Reviewed by: Cenedril Editorial
A.6.6 ISO 27001ISO 27002BSI CON.9

A consultant finishes a six-month engagement and returns to the market. Three months later, a competitor launches a product that mirrors your internal roadmap — feature for feature. The consultant had full access to strategic documents, but never signed an NDA. You have no contractual basis to act. A.6.6 prevents this situation by requiring confidentiality agreements before access is granted.

The control requires that organizations identify their confidentiality requirements, document them in agreements and ensure these agreements are signed by all relevant parties — employees, contractors, suppliers and other external parties with access to organizational information.

What does the standard require?

The core requirements cover five areas:

  • Identify confidentiality needs. Determine which information requires protection through formal agreements, based on the organization’s information classification scheme.
  • Define agreement content. Each NDA must clearly state: what information is considered confidential, the permitted and prohibited uses, the duration of the obligation (including post-termination), the actions required upon termination (return or destruction of materials) and the consequences of breach.
  • Cover all relevant parties. NDAs must be in place for employees, contractors, suppliers, consultants and any other party with access to confidential information.
  • Ensure legal enforceability. Agreements must comply with applicable law and be reviewed by legal counsel to ensure they are enforceable.
  • Review regularly. NDAs should be reviewed and updated when the organization’s confidentiality requirements, legal environment or business relationships change.

In practice

Maintain NDA templates. Create standard templates for (1) employees, (2) contractors/consultants, (3) suppliers and (4) mutual business-partner agreements. Have legal counsel review each template annually.

Integrate NDA signing into onboarding and procurement. For new hires, the NDA is signed as part of the employment contract or alongside it. For suppliers and consultants, the NDA is part of the procurement process — no signed NDA, no access.

Track NDA status in a register. Maintain a register listing every active NDA: party, version, signature date, expiry date and renewal status. This register is the primary audit artifact.

Set renewal alerts. For time-limited NDAs, create calendar alerts well before the expiry date. This is especially important for long-term supplier relationships where NDAs may lapse silently.

Typical audit evidence

Auditors typically expect the following evidence for A.6.6:

  • NDA templates — current versions reviewed by legal counsel (link to HR Security Policy in the Starter Kit)
  • Signed NDAs — for a sample of employees, contractors and suppliers
  • NDA register — list of all active agreements with dates and status
  • Legal review records — evidence that templates were reviewed by legal counsel
  • Renewal records — documentation of NDA renewals and updates

KPI

% of relevant stakeholders with signed and current NDAs

Measured as a percentage: how many individuals and organizations with access to your confidential information have a valid, signed NDA? Target: 100%. The usual gaps are in contractor and supplier populations, where coverage typically starts at 60–80%.

Supplementary KPIs:

  • Number of NDAs expiring in the next 90 days (should trigger a renewal action)
  • Average time to get an NDA signed for new external parties
  • % of NDA templates reviewed by legal counsel in the last 12 months

BSI IT-Grundschutz

A.6.6 maps to several BSI modules:

  • CON.9.A9 (Confidentiality agreements) — directly requires that confidentiality agreements are in place for all relevant parties.
  • ORP.2.A5 (Obligation of employees to comply with policies) — includes NDA signing as part of the employee obligation process.
  • OPS.3.2.A18 (Confidentiality agreements with external IT service providers) — specifically addresses NDAs for outsourced IT services.
  • SYS.4.1.A2 (Regulation for the handling of printers, copiers and multifunction devices) — requires NDAs for maintenance personnel with access to devices that process confidential data.

A.6.6 connects to the broader confidentiality framework:

Additional connections: A.5.10 (Acceptable use of information and assets), A.5.12 (Classification of information) and A.5.14 (Information transfer).

Sources

Frequently asked questions

Do I need a separate NDA if my employment contract already contains a confidentiality clause?

It depends on the depth of the clause. If the employment contract comprehensively covers the scope of confidential information, the duration of the obligation, the permitted use and the consequences of breach, a separate NDA may not be necessary. Many organizations still use a standalone NDA for clarity and easier updates.

Should NDAs be signed by third parties like suppliers and consultants?

Yes. A.6.6 applies to anyone who accesses organizational information — employees, contractors, suppliers, consultants and business partners. The NDA or equivalent clause should be in place before access is granted.

How long should an NDA remain in force after termination?

There is no standard answer. Common durations range from two to five years post-termination, depending on the sensitivity of the information and the applicable jurisdiction. Some categories of information (trade secrets, for example) may warrant indefinite protection.