Contact
ISO 27001
Annex A Controls — People
Confidentiality And NDA Management | Annex A 6.6

ISO 27001 Annex A 6.6: Confidentiality and NDA Management Explained (27001:2022)

Confidentiality obligations sit at the very core of information security. Without enforceable confidentiality controls, even the strongest technical safeguards can be rendered ineffective by human behaviour, contractual gaps, or unclear responsibilities. ISO 27001:2022 Annex A 6.6 formalises this reality by requiring organisations to define, implement, communicate, and enforce confidentiality and non-disclosure obligations across employees, contractors, suppliers, and other relevant parties.

Lucy Murphy
Head of Customer Success
Ask AI to summarize Confidentiality And NDA Management | Annex A 6.6

Annex A 6.6 is not simply about signing NDAs. It is about establishing a governed confidentiality framework that protects information throughout its lifecycle, aligns with legal and regulatory expectations, and stands up to audit scrutiny. This control ensures that people understand what must remain confidential, why it matters, how it must be protected, and what happens if those obligations are breached.

This article provides a complete, end-to-end explanation of ISO 27001 Annex A 6.6 under the 2022 standard. It covers intent, scope, implementation, evidence, audit expectations, common pitfalls, and best practices—positioned as a definitive reference for compliance, certification, and ongoing ISMS maturity.

Understanding ISO 27001 Annex A 6.6

What Annex A 6.6 Requires

ISO 27001 Annex A 6.6 requires organisations to ensure that confidentiality or non-disclosure agreements are identified, implemented, maintained, and enforced for all relevant parties who have access to information that must be protected. This includes employees, temporary staff, contractors, consultants, suppliers, partners, and in some cases customers.

The control expects confidentiality obligations to be:

  • Clearly defined and documented
  • Appropriate to the organisation’s risks and legal context
  • Communicated and understood by relevant parties
  • Enforceable through contractual, policy, and disciplinary mechanisms

Annex A 6.6 applies to information, not just documents. This includes data in digital systems, verbal discussions, intellectual property, business processes, customer records, source code, credentials, and any information classified as confidential or restricted under the organisation’s information classification scheme.

Why Confidentiality Is Explicitly Addressed in ISO 27001

While confidentiality is already a core principle of the CIA triad, ISO 27001 treats confidentiality obligations as a distinct control because human and contractual failures remain one of the most common causes of information security incidents.

Examples include:

  • Employees sharing information without understanding sensitivity
  • Contractors retaining access or knowledge after contracts end
  • Suppliers mishandling shared data
  • Verbal disclosures during meetings or calls
  • Inadequate contractual protection during partnerships or M&A activity

Annex A 6.6 exists to ensure that confidentiality is not assumed or implied, but explicitly governed.

Relationship to the ISMS and Risk Management

Confidentiality and NDA management must be aligned with the organisation’s ISMS scope, risk assessment, and information classification framework. NDAs are not generic legal documents; they are risk treatments.

Auditors will expect to see:

  • A clear link between information risks and confidentiality obligations
  • Evidence that confidentiality requirements are proportionate to risk
  • Integration with onboarding, offboarding, supplier management, and incident response processes

What Is a Confidentiality or Non-Disclosure Agreement Under ISO 27001?

Definition in an ISO 27001 Context

Within ISO 27001, a confidentiality or non-disclosure agreement is any formal mechanism that legally and operationally binds an individual or organisation to protect specified information from unauthorised disclosure, use, or misuse.

This includes:

  • Employment contract confidentiality clauses
  • Standalone NDAs
  • Supplier or partner confidentiality agreements
  • Project-specific NDAs
  • Confidentiality provisions within broader service agreements

The standard does not mandate a specific format, but it does require that confidentiality obligations are appropriate, enforceable, and effective.

Who Must Be Covered

Confidentiality obligations must apply to all parties who may access sensitive information, including:

  • Permanent and temporary employees
  • Contractors and consultants
  • Outsourced service providers
  • Cloud and SaaS vendors
  • Business partners
  • Third-party developers or integrators

In high-risk environments, this may also include visitors, auditors, interns, or volunteers.

When Confidentiality Obligations Must Apply

Confidentiality obligations should apply:

  • Before access is granted
  • During the period of access
  • After the relationship ends

Post-termination confidentiality is a critical audit focus. Organisations must demonstrate that confidentiality obligations survive contract termination where appropriate.

Confidentiality vs NDA: Understanding the Difference

What Is Confidentiality?

Confidentiality refers to the obligation to protect information from unauthorised disclosure. It is a principle, a policy requirement, and a behavioural expectation.

Confidentiality can be enforced through:

  • Policies
  • Procedures
  • Training
  • Technical controls
  • Legal agreements

What Is an NDA?

A Non-Disclosure Agreement is a legal instrument used to formalise confidentiality obligations between parties. An NDA is one way—though not the only way—to enforce confidentiality.

Key Differences

Confidentiality is broader and continuous.
An NDA is specific and contractual.

ISO 27001 Annex A 6.6 requires confidentiality to be managed holistically, not just through NDAs. An organisation that relies solely on NDAs without policies, awareness, or enforcement mechanisms will typically fail audit expectations.

Why Annex A 6.6 Matters for ISO 27001 Certification

Human Risk Is the Primary Threat Vector

Most information security incidents are not caused by advanced attacks, but by:

  • Human error
  • Misunderstanding of sensitivity
  • Poor judgement
  • Lack of accountability

Annex A 6.6 directly addresses this by ensuring people understand their obligations and the consequences of breaches.

Legal and Regulatory Alignment

Confidentiality agreements support compliance with:

  • Data protection laws
  • Intellectual property protections
  • Client contractual requirements
  • Industry regulations

Auditors frequently view Annex A 6.6 as a proxy indicator for overall governance maturity.

Audit Readiness and Evidence

Confidentiality management is one of the easiest areas for auditors to test. Gaps are often immediately visible through missing agreements, outdated templates, or inconsistent application.

Confidentiality Levels Under ISO 27001

Why Classification Matters

Confidentiality obligations must align with how information is classified. Without defined confidentiality levels, NDAs and policies lack precision and enforceability.

Common Confidentiality Levels

Most ISO 27001-aligned organisations use four levels:

Public

Information intended for public disclosure with no confidentiality requirement.

Internal

Information intended for internal use only, with limited risk if disclosed.

Confidential

Information that could cause harm if disclosed, including customer data, internal reports, or commercial information.

Restricted

Highly sensitive information requiring strict access controls, such as credentials, encryption keys, source code, or regulated data.

Annex A 6.6 requires confidentiality obligations to reflect these distinctions, not treat all information equally.

Implementing Annex A 6.6 in Practice

Step 1: Define Confidentiality Requirements

Organisations must clearly define:

  • What information is confidential
  • Who is responsible for protecting it
  • How confidentiality is enforced
  • What happens if confidentiality is breached

These definitions should exist within policies, contracts, and procedures.

Step 2: Establish Standard Confidentiality Clauses and NDAs

Standardised templates help ensure consistency and auditability. These should:

  • Align with information classification
  • Define permitted and prohibited disclosures
  • Include post-termination obligations
  • Reference disciplinary or legal consequences

Step 3: Integrate Confidentiality Into Onboarding

Confidentiality obligations should be communicated and acknowledged before access is granted. This typically includes:

  • Contract signing
  • Policy acknowledgment
  • Awareness training

Step 4: Manage Confidentiality for Third Parties

Supplier and partner confidentiality management should be risk-based and documented, with evidence of acceptance and review.

Step 5: Enforce and Monitor

Confidentiality is meaningless without enforcement. This includes:

  • Monitoring for misuse
  • Investigating breaches
  • Applying disciplinary actions
  • Updating agreements when roles or risks change

Evidence Required for Annex A 6.6 Compliance

Auditors will expect objective evidence, not verbal assurances.

Common Evidence Types

  • Signed confidentiality agreements
  • Employment contracts with confidentiality clauses
  • Supplier agreements
  • Policy acknowledgment records
  • Training and awareness records
  • Offboarding checklists
  • Incident records related to confidentiality breaches

Evidence must be current, relevant, and traceable.

Common Audit Findings for Annex A 6.6

Typical nonconformities include:

  • Missing NDAs for contractors
  • Outdated confidentiality clauses
  • No post-termination obligations
  • Inconsistent application across roles
  • Lack of awareness evidence
  • No defined confidentiality levels

These findings are often classified as major because of their direct impact on risk.

Best Practices for Strong Confidentiality Governance

Make Confidentiality Role-Specific

Not all roles carry the same risk. Tailor confidentiality obligations accordingly.

Keep Agreements Simple and Understandable

Overly complex legal language reduces effectiveness and awareness.

Review Regularly

Confidentiality obligations should be reviewed when:

  • Roles change
  • Systems change
  • Regulations change
  • Incidents occur

Integrate With Other Controls

Annex A 6.6 should align with access control, acceptable use, awareness, and incident management controls.

Confidentiality and NDAs in the Context of ISO 27001:2022

The 2022 update reinforces the need for people-centric controls. Annex A 6.6 reflects ISO’s recognition that information security failures often originate outside technical systems.

Organisations that treat confidentiality as a living control—not a static document—consistently demonstrate higher ISMS maturity and audit resilience.

Turning Confidentiality Into a Controlled System

ISO 27001 Annex A 6.6 is not about paperwork—it is about trust, accountability, and governance. Organisations that implement confidentiality and NDA management effectively reduce risk, strengthen compliance, and demonstrate security maturity.

When confidentiality obligations are clearly defined, consistently applied, and auditable, they become a powerful control rather than a legal afterthought.

Book a Demo: Manage Confidentiality and NDAs With Confidence

Managing confidentiality agreements, acknowledgments, reviews, and evidence manually is complex, error-prone, and difficult to scale—especially across employees, contractors, and suppliers.

Hicomply helps organisations centralise confidentiality and NDA management as part of a structured, auditable ISMS. From policy acknowledgment tracking to supplier agreement visibility and audit-ready evidence, Hicomply enables teams to maintain continuous compliance without administrative overload.

If you want to simplify ISO 27001 Annex A 6.6 compliance and strengthen your confidentiality governance, book a demo with Hicomply and see how a modern ISMS platform supports real-world security management.

Ready to Take Control of Your Privacy Compliance?

Hicomply’s platform provides an all-in-one solution to streamline, automate, and centralise your compliance activities, ensuring complete control and efficiency.

Book a demo
Last updated
December 15, 2025
Category
Annex A Controls — People
Topics
No items found.
Lucy Murphy
Head of Customer Success

Lucy works closely with customers to help them get the most out of the Hicomply platform, from onboarding to audit success. She brings a user-focused mindset to everything she does, making her well-placed to write about day-to-day challenges, shortcuts, and success strategies. Her content is grounded in what real InfoSec and compliance teams need to know — and how to get there faster.Expect helpful walkthroughs, product tips, and practical insights.

Read more industry insights by Lucy Murphy

Popular Confidentiality And NDA Management | Annex A 6.6 queries, answered!

What is a 6.6 confidentiality or non-disclosure agreement?

Under ISO 27001 Annex A 6.6, a confidentiality or non-disclosure agreement is a formal mechanism that defines and enforces obligations to protect sensitive information. It applies to employees, contractors, suppliers, and other parties with access to confidential data and supports the organisation’s ISMS by reducing disclosure risks.

What is the difference between NDA and confidentiality?

Confidentiality is the obligation to protect information, while an NDA is a legal tool used to formalise that obligation. ISO 27001 requires confidentiality to be managed holistically, not only through NDAs.

Is signing an NDA a big deal?

Yes. From an ISO 27001 perspective, signing an NDA establishes accountability and legal enforceability. However, NDAs alone are insufficient without awareness, policies, and enforcement.

What are the confidentiality levels of ISO 27001?

ISO 27001 does not mandate specific labels, but most organisations use Public, Internal, Confidential, and Restricted levels to structure confidentiality obligations.

What is ISO 27001 Annex A?

Annex A is the control framework within ISO 27001 that provides reference security controls, including confidentiality, access control, human security, and operational safeguards.

Contents

Heading 2

Unlock Your Path to ISO 27001 Success

Download our Ultimate ISO 27001 Compliance Checklist for clear, step-by-step guidance to fast-track your certification.

Get the Checklist

End to end ISO 27001 compliance documentation

Your hub for the fundamentals of ISO 27001 compliance, curated best practices, and resources for GRC professionals.

ISO 27001 Overview

Achieve ISO 27001 Certification

ISO 27001 is the globally recognised standard for building a structured Information Security Management System (ISMS) that protects the confidentiality, integrity and availability of information. This article explains what ISO 27001 is, how it works, the core principles behind it, and what organisations must do to achieve certification. You’ll learn the standard’s structure, its key requirements, how the certification process unfolds, and the practical steps needed to implement an ISMS that is both compliant and effective.

Learn more about Achieve ISO 27001 Certification

Benefits Of ISO 27001 For Businesses

ISO 27001 certification is one of the most credible ways for businesses to prove they protect sensitive information with structure, consistency, and internationally recognised best practice. This guide explains what ISO 27001 certification is, why companies pursue it, the core business benefits, the costs involved, and how organisations of any size can achieve and maintain certification. Whether you're preparing for your first audit or strengthening your security posture, this article gives you the clarity, detail, and practical steps to move forward with confidence.

Learn more about Benefits Of ISO 27001 For Businesses

History And Evolution Of ISO 27001

ISO 27001 is now recognised as the world’s leading standard for managing information security, but its journey spans decades of technological change, emerging cyber threats, and global collaboration. This article traces the origins of ISO 27001, from its earliest foundations to the modern 2022 revision. You’ll learn how the framework developed, why it became globally adopted, how ISO 27002 fits into the picture, and how ISO standards evolved more broadly over time.

Learn more about History And Evolution Of ISO 27001
ISO 27001:2022 Requirements

Actions To Address Risks And Opportunities | Clause 6.1

Clause 6.1 of ISO 27001 defines how organisations must identify, assess, and treat information security risks — and how they must uncover opportunities to strengthen their Information Security Management System (ISMS). This clause acts as the engine of the ISO framework: it drives risk-based thinking, aligns controls to real-world threats, and ensures continual improvement. In this guide, we break down Clause 6.1 line by line, explain its relationship with Annex A, show you what documentation is required, and provide examples and best practices to help you implement it correctly and confidently.

Learn more about Actions To Address Risks And Opportunities | Clause 6.1

ISO27001 Awareness | Clause 7.3

In this article, we explore everything you need to know about ISO 27001 Clause 7.3—its purpose, what the standard requires, how awareness strengthens your ISMS, and how to build a practical, auditor-ready awareness program that supports continuous security improvement.

Learn more about ISO27001 Awareness | Clause 7.3

ISO 27001 Communication | Clause 7.4

In this guide, we break down exactly what ISO 27001 Clause 7.4 requires, why structured communication is essential to an effective ISMS, and how organisations can build a clear, compliant communication process supported by practical, real-world examples.

Learn more about ISO 27001 Communication | Clause 7.4
Information Security Management System (ISMS)

ISO 27001 ISMS Audit And Review Process

The audit and review process is one of the most important pillars of ISO 27001. It ensures your Information Security Management System (ISMS) is working as intended, risks are managed effectively, controls are operating correctly, and continual improvement is actively taking place. This guide explains every component of the ISO 27001 audit lifecycle — internal audits, external audits, certification audits, surveillance audits, and management reviews — and shows you how to prepare, what evidence auditors expect, and how to maintain long-term compliance.

Learn more about ISO 27001 ISMS Audit And Review Process

ISO 27001 ISMS Continuous Improvement Cycle

In this end-to-end guide, you’ll learn how continual improvement works in ISO 27001, why it’s essential for long-term security maturity, how the PDCA cycle operates inside an ISMS, and what processes, documentation, and actions are required to maintain compliance year after year.

Learn more about ISO 27001 ISMS Continuous Improvement Cycle
Annex A Controls — Organizational

Acceptable Use Of Assets | Annex A 5.10

Information security policies serve as the foundation of any robust cybersecurity program. Without clearly defined rules for acceptable use of information assets, organizations face increased vulnerability to data breaches, compliance violations, and operational disruptions. Control 5.10 of ISO 27001:2022 specifically addresses this critical aspect of information security management, requiring organizations to establish formal guidelines for how information and associated assets should be handled.

Learn more about Acceptable Use Of Assets | Annex A 5.10

Access Control Policies | Annex A 5.14

Information rarely stays still. Every organisation transfers data daily—between teams, systems, partners, customers, cloud platforms, and suppliers. Emails are sent, files are shared, storage media is moved, meetings are held, and conversations take place across calls and video conferences. Each transfer represents a moment of heightened risk.

Learn more about Access Control Policies | Annex A 5.14

Access Rights Management | Annex A 5.16

ISO 27001 Annex A 5.16 focuses on how organisations manage access rights by governing the full lifecycle of identities. This control ensures that only authorised users, systems, and services can access information assets, and that access is removed when no longer required.

Learn more about Access Rights Management | Annex A 5.16
Annex A Controls — People

Confidentiality And NDA Management | Annex A 6.6

Confidentiality obligations sit at the very core of information security. Without enforceable confidentiality controls, even the strongest technical safeguards can be rendered ineffective by human behaviour, contractual gaps, or unclear responsibilities. ISO 27001:2022 Annex A 6.6 formalises this reality by requiring organisations to define, implement, communicate, and enforce confidentiality and non-disclosure obligations across employees, contractors, suppliers, and other relevant parties.

Learn more about Confidentiality And NDA Management | Annex A 6.6

Disciplinary Process And Enforcement | Annex A 6.4

Establishing a fair disciplinary process is essential for organizations that want to effectively manage security violations while maintaining employee trust. When security breaches occur, organizations often struggle to respond consistently, which can lead to resentment, legal complications, or ineffective deterrence. Consequently, ISO 27001 includes specific requirements under Annex A 6.4 to ensure disciplinary processes are both fair and effective.

Learn more about Disciplinary Process And Enforcement | Annex A 6.4

Employee Screening And Background Checks | Annex A 6.1

In this guide, we explain everything organisations need to know about ISO 27001:2022 Annex A 6.1 — Employee Screening and Background Checks. You’ll learn what the control requires, why it exists, how auditors assess compliance, what evidence is expected, and how to design a screening process that is legally compliant, proportionate, and effective across different roles and risk levels.

Learn more about Employee Screening And Background Checks | Annex A 6.1
Annex A Controls — Physical

Access Control To Premises | Annex A 7.2

Physical security remains one of the most underestimated components of information security. While organisations invest heavily in cybersecurity tools, a single uncontrolled door, shared workspace, or unlogged visitor can undermine even the most mature digital controls. ISO 27001 Annex A 7.2 exists to address this exact risk by requiring organisations to establish and maintain effective access control to premises where information and information-processing facilities are located.

Learn more about Access Control To Premises | Annex A 7.2

Cabling And Electrical Security | Annex A 7.12

Modern technologies rely heavily on fiber, network, and power cables to function correctly. When we focus on ISO cyber security, we often overlook these critical components' physical vulnerabilities. Power and information cables face risks of damage and interception. Cyber criminals who gain access to fiber cables can disrupt all network traffic with simple techniques like 'bending the fiber.' This makes data and information unavailable.

Learn more about Cabling And Electrical Security | Annex A 7.12
Annex A Controls — Technological
No items found.
ISO 27001 Certification Process
No items found.
ISO 27001 Audit Preparation
No items found.
Automating ISO 27001 Compliance
No items found.
ISO 27001 Resources And Tools
No items found.

Your ISO 27001 Compliance Newsletter

Stay ahead with the latest expert insights, news, and updates on compliance.
Decorative