Terms and conditions of employment for security
Ensure job agreements state everyone's info security duties clearly.
Plain language
This control is about making sure everyone's job agreements, like contracts, clearly explain what they need to do to protect the organisation's information. It's important because if people don't understand their responsibilities, they might accidentally jeopardise sensitive data or cause a security breach.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
People controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
The employment contractual agreements shall state the personnel’s and the organization’s responsibilities for information security.
Why it matters
If employment agreements omit information security duties, personnel may mishandle data, causing breaches, compliance failures and loss of trust.
Operational notes
Review and update employment contracts at onboarding and periodically to include clear information security responsibilities, confidentiality and reporting duties.
Implementation tips
- The HR manager should ensure that all new job contracts include sections on information security responsibilities. This can be done by adding clauses that specify the employee's duties to keep information safe according to the organisation's policies and relevant legal requirements.
- The IT manager should collaborate with HR to review and update information security policies referenced in employment agreements. This involves aligning the contracts with the organisation's information security policy and ensuring these are reviewed whenever there are changes in laws or regulations.
- HR should organise training for new hires so they understand their information security duties from day one. This involves explaining what's in the contract about data protection and perhaps providing a simple guide or code of conduct on how to manage confidential information.
- The leadership team should make sure there's a process for regularly reviewing employment terms related to information security. When laws or company policies change, HR needs to update the relevant sections in the employment agreements to ensure compliance.
- Legal advisors should assist in drafting and reviewing confidentiality agreements and other legal responsibilities linked with employment contracts. This involves ensuring these documents are clear on what actions are considered a breach of security requirements and what the consequences are.
Audit / evidence tips
-
AskAsk for recent employment contract templates.
GoodContracts explicitly outline responsibilities for protecting data, aligning with the organisation's security policies.
-
AskRequest records of information security training provided to employees.
GoodTraining records show that employees received clear instructions about their security responsibilities promptly after hiring.
-
AskAsk for evidence of a procedure for reviewing contracts when legal changes occur.
GoodThere is a documented procedure that is followed regularly to update employment contracts in response to legal and regulatory changes.
-
AskRequest examples of confidentiality or non-disclosure agreements signed by employees.
GoodDocuments confirm that all individuals with access to sensitive data have signed up-to-date confidentiality agreements.
-
AskAsk for records of any security incidents involving breaches of employment terms.
GoodSecurity incidents are followed up with a review of employment contracts, and necessary updates are made promptly.
Cross-framework mappings
How Annex A 6.2 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-2020 | Annex A 6.2 requires employment contractual agreements to clearly state the information security responsibilities of both personnel and t... | |
| ISM-2035 | Annex A 6.2 requires that employment contractual agreements state personnel and organisational responsibilities for information security | |
| ISM-2036 | Annex A 6.2 requires employment contractual agreements to explicitly state information security responsibilities of personnel and the org... | |
| handshake Supports (2) expand_less | ||
| ISM-0714 | Annex A 6.2 requires employment contractual agreements to clearly state information security responsibilities for personnel and the organ... | |
| ISM-1773 | ISM-1773 restricts gateway system administrator roles to Australian nationals or seconded foreign nationals | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.