Buy the 27001 Toolkit

ISO 27001 Control 6.6: Confidentiality or Non-Disclosure Agreements

How to Use NDAs and Confidentiality Clauses to Protect Information

ISO 27001 Control 6.6 Confidentiality or non-disclosure agreements is all about making sure that people who see your sensitive information are formally bound to protect it.

That includes employees, contractors, suppliers, partners – anyone who has access to your confidential information, trade secrets, or customer data. Control 6.6 expects you to use confidentiality or non-disclosure agreements (NDAs) in a consistent, deliberate way, not as an afterthought.

This guide explains what ISO 27001 Control 6.6 is really asking for, and how to put practical, reusable NDAs and confidentiality clauses in place.

What ISO 27001 Control 6.6 Actually Requires

In plain English, ISO 27001 Control 6.6 – Confidentiality or non-disclosure agreements expects you to:

  • Identify where you need confidentiality or non-disclosure agreements to protect information.
  • Make sure agreements clearly describe what’s confidential, how it can be used, and what’s not allowed.
  • Ensure people understand their responsibilities for protecting information, during and sometimes after the relationship ends.
  • Review and update agreements periodically so they stay legally valid, relevant, and aligned with your security needs.

This doesn’t always mean separate standalone NDAs. Very often, the requirements of ISO 27001 Control 6.6 are met through:

  • Employment contracts
  • Supplier / service contracts
  • Partner agreements
  • Project-specific NDAs

The key is that confidentiality obligations are clearly written, appropriate to the risk, and actually used.

Step 1 – Decide Where You Need Confidentiality or NDAs

Start by mapping where sensitive information is shared. Typical areas where ISO 27001 Control 6.6 applies:

  • Employees and permanent staff
    – Access to internal systems, customer data, financial information, technical documentation, source code, roadmaps.
  • Contractors and temporary workers
    – Developers, consultants, support staff, outsourced teams with access to your environments or data.
  • Suppliers and service providers
    – Managed IT providers, cloud services, payroll providers, marketing agencies, call centres.
  • Customers and partners
    – When you share internal designs, architectures, test data, or pre-release features.
  • Prospects and pre-sales situations
    – When you provide detailed demos, share data models, or talk about pricing models and internal methods.
  • Visitors
    – Onsite visitors who may see sensitive information on screens, whiteboards, or in documents.

For each group, decide:

  • What kind of information they see
  • What could go wrong if they disclosed or misused it
  • Whether confidentiality is already covered in a contract or whether you need a separate NDA

That analysis is part of showing that you’ve implemented ISO 27001 Control 6.6 in a risk-based, proportionate way.

Step 2 – Standardise Your Confidentiality or Non-Disclosure Agreements

Rather than drafting new wording every time, create standard templates and clause sets you can reuse. For ISO 27001 Control 6.6, it’s helpful to have:

  • A standard employee confidentiality clause
    – Embedded in employment contracts
    – Linked to your information security policy and acceptable use policy
  • A mutual NDA template
    – For partners or customers where both sides share confidential information
  • A one-way NDA template
    – For situations where only you (or only the other party) are disclosing sensitive information
  • Standard confidentiality sections in supplier contracts
    – Built into your master services agreement or data processing agreement
  • A simple visitor confidentiality notice
    – Included in sign-in forms or visitor policies where appropriate

Having these standardised templates makes it easier to:

  • Use confidentiality or non-disclosure agreements consistently
  • Demonstrate alignment with ISO 27001 Control 6.6 across the organisation
  • Maintain them over time when laws, processes, or risks change

Step 3 – Core Elements to Cover in NDAs and Confidentiality Clauses

ISO 27001 Control 6.6 doesn’t prescribe exact wording, but auditors will expect to see certain themes.

Your confidentiality or non-disclosure agreements should normally cover:

  • Definition of confidential information
    – What is considered confidential (e.g. source code, customer lists, financial data, technical designs, roadmaps, contracts, internal policies).
    – Whether oral information can be confidential and how it should be marked or confirmed.
  • Purpose and permitted use
    – Why the information is being shared (e.g. evaluation, delivery of services, project collaboration).
    – Clear limits on how the information may be used and by whom.
  • Access and onward disclosure
    – Who is allowed to see the information (e.g. employees on a need-to-know basis, approved subcontractors).
    – Restrictions on sharing with third parties without prior written consent.
  • Security expectations
    – A requirement to protect information using reasonable or appropriate security controls.
    – Alignment with any specific standards or policies (e.g. your information security policy, data protection requirements).
  • Ownership and intellectual property
    – Clarify who owns existing information and any new IP created.
    – Confirm that receiving confidential information does not transfer ownership.
  • Duration of confidentiality
    – How long the confidentiality obligations last (e.g. for the duration of the contract plus X years, or until the information becomes public by lawful means).
  • Exceptions
    – Common exceptions (public information, already known by the recipient, independently developed, legally required disclosure).
  • Breach reporting and notification
    – A requirement to promptly notify you of any suspected or actual unauthorised disclosure or loss of information.
    – Alignment with your incident management and data breach procedures.
  • Return or destruction of information
    – What must happen at the end of the relationship: return, secure destruction, or confirmation that copies have been deleted.
  • Audit and monitoring rights (where appropriate)
    – In higher-risk scenarios, a right to verify compliance (on-site or via evidence) may be useful.
  • Jurisdiction and remedies
    – Which law governs the agreement.
    – The types of remedies available (e.g. injunctive relief, damages).

You don’t have to make every NDA long and legalistic. For simple situations (e.g. low-risk visitor access), you can use lightweight wording that still supports ISO 27001 Control 6.6.

Step 4 – Integrate NDAs into Everyday Processes

ISO 27001 Control 6.6 is easiest to evidence when confidentiality or non-disclosure agreements are baked into your workflows, not handled ad hoc.

Consider:

  • Recruitment and onboarding
    – Ensure confidentiality obligations are built into the standard employment offer / contract.
    – Link them clearly to the information security policy and code of conduct.
  • Supplier onboarding
    – Make confidentiality and information security clauses part of your standard procurement templates.
    – Trigger an NDA or specific confidentiality clause during the supplier selection or contracting phase.
  • Sales and pre-sales
    – Use NDAs for deep technical demos, sharing of architectures, or commercial models with prospects.
    – Provide sales and pre-sales teams with a simple NDA process they can follow without delay.
  • Projects and collaborations
    – Include confidentiality or non-disclosure agreements as part of your project initiation checklist.
  • Access control and third-party access
    – Ensure that no external admin, support engineer, or consultant gets access to critical systems without appropriate confidentiality coverage.

Make sure signed NDAs and contracts are stored in a consistent location (e.g. contract management system, HR system, or shared drive) so you can retrieve them if an auditor asks for evidence of ISO 27001 Control 6.6.

Step 5 – Raise Awareness and Make Responsibilities Clear

NDAs can easily become “something people sign and forget”. ISO 27001 Control 6.6 works better when you bring those responsibilities to life.

You can:

  • Highlight the existence and purpose of confidentiality or non-disclosure agreements in:
    • Induction training
    • Annual information security or data protection awareness
    • Manager training
  • Use plain-English explanations of what people have agreed to, rather than only pointing them to legal text.
  • Include short reminders in:
    • Acceptable use policies
    • Developer or support guidelines
    • Remote working and BYOD policies

The aim is to make people understand that:

  • Confidentiality is not just a legal box-tick
  • They are personally responsible for how they handle the information they see
  • There are real-world consequences if information is mishandled

Step 6 – Periodically Review and Update Your Agreements

ISO 27001 Control 6.6 expects confidentiality or non-disclosure agreements to remain effective and appropriate over time.

Plan to review them when:

  • Laws and regulations change (e.g. data protection, employment, IP, sector-specific rules).
  • You enter new markets or jurisdictions.
  • Your services or technology stack change significantly.
  • You’ve had an incident or near-miss involving misuse or loss of confidential information.

Work with legal, HR, procurement, and information security to:

  • Update templates and standard clauses.
  • Retire old versions in favour of the new ones.
  • Communicate changes to teams who regularly use NDAs and contracts.

Even a simple review every 1–2 years, documented in your ISMS, goes a long way towards demonstrating compliance with ISO 27001 Control 6.6.

Quick Implementation Checklist for ISO 27001 Control 6.6

Use this checklist to test your current approach:

  • ISO 27001 Control 6.6 (Confidentiality or non-disclosure agreements) is referenced in your ISMS documentation.
  • There are standard confidentiality or NDA templates for employees, contractors, suppliers, and partners.
  • Employment contracts contain clear confidentiality and information protection clauses.
  • Supplier and partner contracts include confidentiality, information security, and return/destruction obligations.
  • NDAs and confidentiality clauses define:
    • What counts as confidential information
    • Permitted use and restrictions
    • Duration of obligations
    • Exceptions and legal basis
    • Breach notification responsibilities
    • Return or secure destruction of information
  • NDA usage is built into:
    • HR onboarding
    • Procurement and supplier onboarding
    • Sales / pre-sales and partnership processes
    • Project initiation and third-party access requests
  • Signed NDAs and contracts are stored and retrievable.
  • Staff are made aware of what they’ve agreed to, not just asked to sign.
  • Agreements are reviewed periodically to reflect legal, technical, and business changes.

Bringing It All Together

ISO 27001 Control 6.6 – Confidentiality or non-disclosure agreements – is about taking a deliberate, consistent approach to protecting information when it’s shared with people inside and outside your organisation.

If you:

  • Know where confidential information flows,
  • Use clear, standardised confidentiality or non-disclosure agreements, and
  • Build them into your everyday processes,

you’ll be able to show an auditor that you’re not just relying on trust – you’ve put contractual, documented obligations around your information, and you’re managing them as part of a mature ISMS.

Explore the ISO 27001 Controls

Overview
Organisational
Controls (5.1 to 5.37)
People
Controls (6.1 to 6.8)
Physical
Controls (7.1 to 7.14)
Technological
Controls (8.1 to 8.34)
Full Control List

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG