top of page

ISO 27001 Control 6.2: Terms and Conditions of Employment

Writer's picture: Alan ParkerAlan Parker

Terms and Conditions of Employment for Information Security Overview

Clearly defined terms and conditions of employment are fundamental in ensuring that personnel understand their responsibilities for information security. These contractual agreements help align individual roles with the organisation’s security policies, ensuring compliance with legal, ethical, and operational standards while fostering a culture of accountability and trust.


Purpose

The primary purpose of outlining terms and conditions of employment is to establish a mutual understanding of information security responsibilities. By doing so, organisations can ensure that personnel adhere to protocols appropriate to their roles and access levels, reducing risks and maintaining the confidentiality, integrity, and availability of organisational resources.


Guidance


Key Elements of Employment Contracts

Employment contracts should explicitly detail the responsibilities of both personnel and the organisation regarding information security.


Key points to include are:


  1. Confidentiality Agreements:

    • Require personnel with access to confidential information to sign non-disclosure agreements (NDAs) before being granted access to sensitive data or associated assets (refer to control 6.6).

  2. Legal Responsibilities:

    • Clearly state personnel’s obligations under copyright laws, data protection regulations, and other applicable legal frameworks (refer to controls 5.32 and 5.34).

  3. Information Classification:

    • Define responsibilities for handling and classifying organisational information, as well as managing related assets, processing facilities, and services (refer to controls 5.9 to 5.13).

  4. Third-Party Information Handling:

    • Specify how personnel should manage information received from external parties to ensure compliance with security requirements.

  5. Consequences of Non-Compliance:

    • Outline actions the organisation may take if personnel fail to adhere to security requirements, including disciplinary measures (refer to control 6.4).


Communicating Responsibilities

Information security roles and responsibilities should be communicated to candidates during the pre-employment process. Ensuring transparency early on helps candidates understand and agree to their obligations before joining the organisation.


Access-Based Terms

Terms and conditions should be tailored to reflect the level of access personnel have to organisational assets and systems. This approach ensures proportionality between the role’s risks and associated responsibilities. For example:

  • Personnel with access to highly sensitive data should agree to stricter terms regarding confidentiality and security.

  • Roles with limited access may require less extensive security-related obligations.


Updates to Terms and Conditions

Employment terms and conditions should be reviewed and updated when:

  • Laws, regulations, or industry standards change.

  • Organisational policies or specific security requirements are revised.

Changes must be communicated promptly, and personnel should acknowledge their agreement to the updated terms.


Post-Employment Responsibilities

Where applicable, terms and conditions should define obligations that extend beyond employment, such as:

  • Continuing confidentiality agreements for a specified period after departure.

  • Restrictions on the use or sharing of organisational information post-employment (refer to control 6.5).


Special Considerations for External Parties

For personnel associated with external suppliers, the organisation should ensure that suppliers enter into contractual agreements addressing their staff’s information security responsibilities. In cases where the organisation is not a legal entity or lacks direct employees, equivalent agreements should be considered.


Code of Conduct

A code of conduct can complement employment contracts by explicitly stating expected behaviours related to:

  • Confidentiality and the protection of personally identifiable information (PII).

  • Ethical and responsible use of organisational information and assets.

  • Adherence to best practices that support the organisation’s security objectives.


By reinforcing organisational expectations, the code of conduct plays a vital role in creating a secure and professional workplace environment.


Conclusion

Clearly defined terms and conditions of employment are essential for aligning personnel with the organisation’s information security objectives. By detailing responsibilities, addressing compliance requirements, and specifying the consequences of non-compliance, organisations can minimise risks and maintain a strong security posture. Regular reviews and updates to these terms ensure they remain relevant in the face of evolving legal, regulatory, and operational needs, fostering trust and accountability across the workforce.

留言

About the author

Alan Parker is an IT consultant and project manager who specialises in IT governance, process implementation, and project delivery. With over 30 years of experience in the industry, Alan believes that simplifying complex challenges and avoiding pitfalls are key to successful IT management. He has led various IT teams and projects across multiple organisations, continually honing his expertise in ITIL and PRINCE2 methodologies. Alan holds a degree in Information Systems and has been recognised for his ability to deliver reliable and effective IT solutions. He lives in Berkshire, UK, with his family.

bottom of page