When a departing employee walks out with trade secrets, a vendor shares sensitive customer data without restriction, or a contractor gains access to proprietary systems with no legal guardrails, the damage is often irreversible. Organizations without enforceable confidentiality and non-disclosure agreements have no legal mechanism to pursue recourse. ISO 27001 6.6 exists to close that gap before it becomes a breach, a lawsuit, or both.
What 6.6 requires
ISO 27001 Control 6.6 requires organizations to identify, establish, document, and regularly review confidentiality or non-disclosure agreements for all personnel and relevant third parties who access or handle sensitive information. The control applies to every scenario where confidential data changes hands, whether that involves hiring employees, engaging contractors, onboarding vendors, or forming strategic partnerships. These overlap significantly with the broader third-party risk requirements of the ISO/IEC 27001:2022 standard.
In practice, this means organizations must first map every relationship and role that touches confidential information. That includes full-time staff, temporary workers, consultants, outsourced service providers, board advisors, and joint venture partners. Each of these relationships requires a legally binding agreement that clearly defines the boundaries of confidentiality.
Those agreements must specify several critical elements. They need to define what constitutes confidential information, ideally tied to the organization’s information classification scheme rather than left to subjective interpretation. They must articulate the permitted use of that information, the duration of the obligation (which should survive the end of the relationship), and the consequences of a breach. Post-termination obligations are particularly important because the risk of disclosure doesn’t end when someone leaves the organization.
The control also requires that agreements include breach notification requirements, return or destruction of information upon termination, and the governing law under which disputes will be resolved. Return and destruction clauses should follow recognized data sanitization standards such as NIST SP 800-88 (Guidelines for Media Sanitization) to ensure that confidential information is irreversibly removed from the departing party’s systems. Organizations should engage legal counsel to draft these agreements rather than relying on generic templates that may not hold up under scrutiny.
Many organizations make the mistake of treating NDAs as a checkbox during onboarding and then never revisiting them. Critically, 6.6 is not a one-time exercise. The control expects regular review of all agreements to ensure they remain current, legally enforceable, and aligned with evolving business relationships, regulatory requirements, and the organization’s own information security policies. Agreements drafted three years ago for a vendor relationship that has since expanded in scope may no longer provide adequate protection.
Why 6.6 matters
A mid-sized financial services firm engages a contractor to help migrate customer records to a new platform. The contractor has full access to personally identifiable information, payment histories, and account details for six months. When the engagement ends, the contractor moves to a competitor and leverages knowledge of the firm’s customer base to target those same clients. The firm has no signed Non-Disclosure Agreement (NDA), no confidentiality clause in the contractor’s engagement letter, and no legal standing to pursue the matter.
This kind of information disclosure risk is particularly severe because the damage is often irreversible. Once confidential data is shared, copied, or used improperly, there is no way to “unshare” it. Without enforceable agreements, even well-intentioned individuals may not fully understand the scope of their obligations or the sensitivity of the information they handle.
The financial exposure is substantial. According to IBM’s Cost of a Data Breach Report, malicious insider attacks carry the highest average breach cost at USD $4.92 million, reinforcing why organizations need legal mechanisms that deter unauthorized disclosure and provide clear remedies when breaches occur. Confidentiality agreements serve a dual function here. They establish the legal standing to pursue damages after a breach, and they act as a deterrent that reduces the likelihood of intentional disclosure in the first place.
What attackers exploit
Threat actors and malicious insider threats exploit specific gaps in confidentiality governance:
- Departing employees with no post-employment confidentiality obligations: Former staff retain institutional knowledge and, without binding agreements, face no legal consequence for using or sharing it.
- Contractors and temporary workers without signed NDAs: These individuals often receive the same system access as full-time employees but without equivalent legal accountability.
- Vendor relationships with no mutual NDA: Data flows between organizations protected only by goodwill, with no contractual enforcement mechanism if the relationship deteriorates — turning a vendor dispute into a data breach or data leak.
- Expired or never-reviewed agreements: NDAs drafted years ago may reference outdated data categories, defunct business units, or jurisdictions that no longer apply.
- Onboarding gaps where system access is granted before the NDA is signed: A common operational failure where the technical provisioning process moves faster than the legal onboarding workflow.
How to implement 6.6
For your organization (first-party)
Implementing Control 6.6 requires a structured approach that spans legal, HR, IT, and compliance functions. The following steps provide a practical framework.
- Inventory all roles and relationships touching sensitive information. Map every internal role, contractor engagement, vendor relationship, and partnership that involves access to confidential data. Use your information asset register and access control lists as starting points.
- Engage legal counsel for NDA templates. Work with qualified legal professionals to develop NDA templates tailored to your jurisdiction, industry, and risk profile. Generic templates downloaded from the internet frequently contain gaps in enforceability, fail to address jurisdiction-specific requirements, or omit critical clauses.
- Define “confidential information” tied to your classification scheme. Rather than using vague language like “all proprietary information,” align the NDA’s definition of confidential information with your organization’s information classification policy (as required by ISO 27001 Control 5.12). This creates consistency and reduces ambiguity.
- Include key clauses. Every agreement should address scope of confidential information, permitted use and restrictions, duration of obligation (which must survive termination of the relationship), breach notification requirements, remedies and consequences for unauthorized disclosure, and governing law and dispute resolution.
- Embed confidentiality clauses in employment contracts for all staff. For non-employees (contractors, consultants, vendors, board advisors), use standalone NDAs that can be independently enforced.
- Integrate NDA signing into onboarding workflows. Make the executed NDA a prerequisite for system access provisioning. No signed agreement, no credentials. This requires coordination between HR, legal, and IT operations.
- Establish an annual review cadence with legal and compliance teams. Agreements should be reviewed when relationships change in scope, when regulations evolve, and at a minimum annually to confirm continued adequacy.
- Maintain a central register of all signed agreements. This register should track the signatory, date of execution, expiration (if applicable), scope, and review history. It becomes essential audit evidence.
Common mistakes undermine even well-intentioned implementations:
- Using a generic NDA template without legal review for your specific jurisdiction and industry
- Granting system access before the NDA is countersigned, creating a window of unprotected exposure
- Forgetting post-termination obligations, leaving the organization exposed after the relationship ends
- Never reviewing NDAs after the initial signing, even as business relationships evolve significantly
- Covering employees but ignoring contractors, temporary workers, board advisors, and other non-employee personnel
For your vendors (third-party assessment)
When assessing vendors against Control 6.6, the goal is to verify that they apply the same rigor to confidentiality agreements that your organization does internally. Integrating NDAs into vendor risk management is a critical step in the broader third-party risk management lifecycle. Self-attestation alone is insufficient.
Questionnaire questions to include:
- Do you require NDAs or confidentiality agreements for all personnel who access client data?
- How do you define “confidential information” in your agreements?
- Do your NDAs include post-termination obligations? What is the duration?
- What is your process for reviewing and updating NDA templates?
- How do you ensure NDAs are signed before granting system access to new personnel?
Evidence to request:
- A copy of the current, legal-reviewed NDA template
- The NDA register showing signed agreements for personnel with access to your data
- Proof of legal review or sign-off on the NDA template
- Onboarding checklist demonstrating that NDA execution is a prerequisite for access provisioning
Red flags during assessment:
- The vendor cannot produce a current NDA template or the template appears outdated
- NDAs do not specifically mention client data or third-party information
- No documented review cadence for agreements
- Post-termination provisions are absent or vaguely worded
- The vendor relies solely on employment contracts without standalone NDAs for contractors and subcontractors
Verification should go beyond reviewing documents. Ask follow-up questions about how agreements are enforced in practice, request evidence of the last review cycle, and confirm that the NDA register is actively maintained rather than a static artifact created for audit purposes. Where possible, cross-reference the vendor’s NDA register against the list of personnel who have accessed your organization’s data or systems. Discrepancies between the two lists indicate operational gaps in the vendor’s confidentiality governance.
Audit evidence for 6.6
Auditors assessing Control 6.6 will look for a combination of policy documentation, operational records, and evidence of ongoing management. For a broader view of the certification process, see this guide to ISO 27001 audit preparation. The following table summarizes the key evidence types.
| Evidence type | Example artifact |
|---|---|
| Policy | Confidentiality and NDA policy defining when agreements are required, who is responsible, and how they are managed |
| Template | Legal-reviewed NDA template with version history and legal sign-off |
| Signed agreements | Sample of executed NDAs across employees, contractors, and vendors |
| NDA register | Centralized log tracking signatory, execution date, scope, expiration, and review history |
| Onboarding records | HR checklists demonstrating NDA signing as a prerequisite for system access |
| Review records | Annual review meeting minutes documenting updates, identified gaps, and remediation actions |
Cross-framework mapping
Control 6.6 maps to equivalent requirements across several major compliance frameworks, making it a strong candidate for unified compliance programs.
| Framework | Equivalent control(s) | Coverage |
|---|---|---|
| NIST 800-53 | PS-06 (Access Agreements) | Full |
| SOC 2 | CC6.4 | Partial |
| NIST CSF 2.0 | PR.AA-06 | Partial |
| CIS Controls v8.1 | 6.1 | Partial |
| DORA (EU) | Article 28 | Partial |
The NIST SP 800-53 Rev. 5 mapping is derived from the NIST OLIR crosswalk. The remaining mappings reflect functional equivalence based on the controls’ shared intent of ensuring that individuals with access to sensitive information are bound by formal agreements governing their use and disclosure of that information. Organizations pursuing multiple certifications can use Control 6.6 as a foundation for satisfying access agreement requirements across these frameworks simultaneously, reducing duplicate compliance effort.
Related ISO 27001 controls
Control 6.6 does not operate in isolation. It connects to a network of related controls that collectively govern how organizations manage personnel security and information protection.
| Control ID | Control name | Relationship |
|---|---|---|
| 6.1 | Screening | Background checks establish trust before NDA signing |
| 6.2 | Terms and conditions of employment | Employment contracts embed confidentiality clauses |
| 6.3 | Information security awareness | Training ensures personnel understand NDA obligations |
| 6.4 | Disciplinary process | Enforces consequences for confidentiality breaches |
| 6.5 | Responsibilities after termination | Post-employment NDA obligations must survive |
| 5.10 | Acceptable use | Defines permitted use referenced in NDA scope |
| 5.12 | Classification of information | Classification drives what NDAs must cover |
| 5.19 | Info security in supplier relationships | Vendor NDAs are a subset of supplier security |
| 5.20 | Addressing info security in supplier agreements | Specific contractual clauses for suppliers |
Frequently asked questions
What is ISO 27001 6.6?
ISO 27001 6.6 is an Annex A control that requires organizations to identify and formalize confidentiality or non-disclosure agreements for all personnel and relevant third parties who access sensitive information. It covers the entire agreement lifecycle — drafting, signing, regular review, and post-termination enforcement.
What happens if 6.6 is not implemented?
Without Control 6.6, an organization has no enforceable legal mechanism to prevent or pursue unauthorized disclosure of confidential information. The absence of confidentiality agreements results in a non-conformity finding during certification audits, regulatory exposure under data protection laws, and inability to demonstrate due diligence.
How do you audit 6.6?
Auditors assess Control 6.6 by sampling signed NDAs across employees, contractors, and vendors, then verifying the NDA register, review cadence, and onboarding integration. They confirm that agreements include required clauses — particularly post-termination obligations and breach notification requirements.
How UpGuard helps
Managing NDA compliance across a growing vendor portfolio requires more than spreadsheets and email reminders.
- Vendor Risk: Assess vendor NDA practices as part of structured third-party risk assessments, track confidentiality agreement status across the vendor ecosystem, and demonstrate due diligence to auditors with centralized evidence. Security questionnaire workflows include NDA-specific questions, and continuous monitoring surfaces changes in vendor risk posture that may warrant agreement review.
Start a free trial to experience the UpGuard cybersecurity platform.