Confidentiality and Non-disclosure Agreements
Ensure all relevant parties sign agreements to protect confidential information.
Plain language
This control makes sure that anyone who has access to confidential information, like employees or partners, signs an agreement to keep that information secret. It's important because without these agreements, sensitive information could be shared, leading to competitive harm or legal trouble.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
People controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.
Why it matters
Without confidentiality/NDAs, staff and third parties may disclose sensitive information, causing legal action, competitive harm and loss of customer trust.
Operational notes
Maintain a register of required confidentiality/NDAs, ensure onboarding/contracting includes signature capture, and review clauses at least annually for legal and business changes.
Implementation tips
- HR department should draft confidentiality agreements for all employees. Use a simple format that defines what is considered confidential and explains the employee's responsibilities regarding this information. Regularly update these agreements in line with changes in company policy and legislation like the Privacy Act 1988.
- Legal team should review and approve all non-disclosure agreements (NDAs) used with external parties. Ensure these NDAs include key elements such as the definition of confidential information and the duration of confidentiality. Align this process with ISO 27002:2022 guidance to ensure comprehensive coverage.
- IT manager should ensure that any type of information classified as confidential is adequately protected with appropriate access controls. This includes using strong passwords and access limits to sensitive areas on your network, aligning with ASD Essential Eight strategies.
- Board members should ensure that reviewing and signing NDAs is a standard procedure before sharing any sensitive information with third parties. Establish clear guidelines on situations that require such agreements to ensure wide organisational compliance.
- The compliance officer should organise regular training sessions for all staff on the importance of confidentiality. These sessions should cover the legal and organisational requirements for protecting confidential information, which are aligned to CPS 234 obligations.
Audit / evidence tips
-
Aska sample of signed confidentiality agreements
Goodcomplete agreements containing all essential elements as per ISO 27002:2022 guidelines
-
Askrecords of NDA reviews by the legal department
-
Askdocumentation on employee training about confidentiality
-
Aska list of third-party NDAs
-
Askpolicies on handling confidential information
Cross-framework mappings
How Annex A 6.6 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-0072 | Annex A 6.6 requires the organisation to identify, document, regularly review and obtain signed confidentiality or non-disclosure agreeme... | |
| handshake Supports (1) expand_less | ||
| ISM-0820 | ISM-0820 focuses on preventing unauthorised disclosure by advising personnel not to post work information to unauthorised online services... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.