A.6.2 / A.6.6 — Do employment contracts include IS responsibilities and confidentiality / NDA clauses?
Demonstrate that all personnel with access to organizational information systems have signed employment contracts or agreements that explicitly define their information security responsibilities, confidentiality obligations, and non-disclosure commitments.
Description
What this control does
This control ensures that employment contracts and terms of engagement explicitly define information security responsibilities, confidentiality obligations, and non-disclosure requirements for employees, contractors, and third-party personnel. Contracts must specify acceptable use of information assets, consequences of policy violations, and obligations that extend beyond employment termination. This contractual foundation creates legally enforceable accountability for information security behaviors and protects the organization's confidential information from unauthorized disclosure or misuse.
Control objective
What auditing this proves
Demonstrate that all personnel with access to organizational information systems have signed employment contracts or agreements that explicitly define their information security responsibilities, confidentiality obligations, and non-disclosure commitments.
Associated risks
Risks this control addresses
- Employees or contractors disclose confidential business information, intellectual property, or customer data to unauthorized parties without legal recourse
- Personnel claim ignorance of security responsibilities after causing a data breach or policy violation, undermining disciplinary or legal action
- Departing employees retain or exploit proprietary information for personal gain or competitive advantage due to absence of binding confidentiality terms
- Third-party contractors operating with elevated privileges lack contractual obligations to protect sensitive data, creating unmanaged insider threat exposure
- Organization cannot enforce post-termination confidentiality obligations when former employees join competitors or become consultants
- Regulatory non-compliance with data protection laws requiring documented employee confidentiality agreements (GDPR Article 28, HIPAA, etc.)
- Inadequate definition of acceptable use leads to shadow IT adoption, unauthorized data transfers, or use of corporate information for personal projects
Testing procedure
How an auditor verifies this control
- Obtain the current standard employment contract templates for permanent employees, contractors, and temporary staff from Human Resources.
- Review each contract template to identify clauses addressing information security responsibilities, data classification handling, acceptable use policies, and incident reporting obligations.
- Verify that contracts contain explicit confidentiality and non-disclosure provisions that define scope of protected information, duration of obligations (including post-termination), and consequences of breach.
- Select a representative sample of 15-25 personnel records spanning different roles, departments, hire dates, and employment types (permanent, contractor, temporary).
- Request signed copies of employment contracts or engagement agreements for the sampled personnel from HR or the contract management system.
- Examine each sampled contract to confirm presence of information security and confidentiality clauses, ensuring language matches current organizational requirements.
- Interview HR personnel to confirm the onboarding process includes verification of signed contracts before granting system access or issuing credentials.
- Cross-reference sampled employees against the identity and access management system to verify that individuals with active system access have corresponding signed agreements on file.