ISO 27001:2022 A 6.2 Terms and conditions of employment

Audio version of the article

Security responsibilities must be addressed at the recruitment stage, included in contracts, and monitored during an individual’s employment. Candidates must be adequately screened commensurate to the sensitivity of the information being handled. If necessary all employees and third-party users should sign a confidentiality (non-disclosure) agreement. Prior to hiring or contracting employees or companies, security roles and responsibilities should be clearly articulated in job descriptions or well defined in contract terms and conditions. These roles and responsibilities should be defined in accordance with the organization’s security policies. Careful attention should be paid to the validation of references and the appropriate level of background checks as determined by the security roles and responsibilities of the position or contract. Consideration should be given that the receipt of affirmative references and the successful completion of a background check at a level commensurate with the position’s roles and responsibilities be a condition of hire. The purpose of this section is to introduce the security controls for people who work for the organization (both the employees and other people who are contracted). These controls are really important because the statistics worldwide show that people working for the companies represent the biggest threat to information security. The most common ways of implementing these security controls are:

  • Documenting a human resource management procedure, although it is not a mandatory document.
  • Signing contracts with employees and other contractors that include information security clauses.
  • Regularly training people on security issues and continual awareness-raising campaigns.
  • Introducing a disciplinary process, for all employees who have committed information security breaches.

The objective of this category is to ensure that employees, contractors, and third-party users understand their responsibilities, and are suitable for the roles for which they are considered, in order to reduce the risk of theft, fraud, or misuse of facilities. Security roles and responsibilities of employees, contractors, and third-party users should be defined and documented in accordance with the organization’s information security policy. Control includes requirements to:

act in accordance with the organization’s information security policy, including the execution of processes or activities particular to the indivi

A 6.2 Terms and conditions of employment


The employment contractual agreements should state the personnel’s and the organization’s responsibilities for information security.


To ensure personnel understand their information security responsibilities for the roles for which they are considered.


The contractual obligations for personnel should take into consideration the organization’s information security policy and relevant topic-specific policies. In addition, the following points can be clarified and stated:

a) confidentiality or non-disclosure agreements that personnel who are given access to confidential information should sign prior to being given access to information and other associated assets
b) legal responsibilities and rights (e.g. regarding copyright laws or data protection legislation );
c) responsibilities for the classification of information and management of the organization’s information and other associated assets, information processing facilities and information services handled by the personnel
d) responsibilities for the handling of information received from interested parties;
e) actions to be taken if personnel disregard the organization’s security requirements.

Information security roles and responsibilities should be communicated to candidates during the pre-employment process. The organization should ensure that personnel agree to terms and conditions concerning information security. These terms and conditions should be appropriate to the nature and extent of access they will have to the organization’s assets associated with information systems and services. The terms and conditions concerning information security should be reviewed when laws, regulations, the information security policy or topic-specific policies change. Where appropriate, responsibilities contained within the terms and conditions of employment should continue for a defined period after the end of the employment.

Other information

A code of conduct can be used to state personnel’s information security responsibilities regarding confidentiality, PII protection, ethics, appropriate use of the organization’s information and other associated assets, as well as reputable practices expected by the organization. An external party, with which supplier personnel are associated, can be required to enter into contractual agreements on behalf of the contracted individual. If the organization is not a legal entity and does not have employees, the equivalent of contractual agreement and terms and conditions can be considered in line with the guidance of this control.

Employees, contractors, and third-party users should agree to and sign a statement of rights and responsibilities for their affiliation with the organization, including rights and responsibilities with respect to information security. The organization should define security roles and responsibilities in accordance with its information security policy. The organization must ensure that information security policies are readily accessible and formally communicated to all personnel on a periodic basis. All employees including contractors, temporary staff, board, and/or committee members should sign confidentiality or non-disclosure agreements as part of their initial terms and conditions of employment. Such agreements should give notice to users of the Organization’s policies, rights, obligations, and responsibilities in relation to access to information assets. This controls talks about the need for contractual agreement to inform any new employee about their responsibility as well as that of the organisation towards information security.What this means is that employees should know about the company’s information security policy, as well as the roles and responsibilities of people who work with information security in the company. This can be done by having personnel sign an employment contract or something similar. Such a contractual agreement will typically outline the general requirements for protecting information assets, including physical security, environmental controls, access controls and contingency planning as well as a confidentiality agreement if they’ll be working with PII. Information security obligations should be explicitly stated in contracts with both employees and contractors. Insist that all parties involved are aware of and familiar with NDAs, legal rights and duties, data processing, and the use of third-party information. It is critical that disciplinary measures are guided by certain policies within the organisation. The contractual agreement with employees and contractors must state their and the organisation’s responsibilities for information security. These agreements are a good place to put key information security general and individual responsibilities as they carry legal weight – meaning they are backed up by the law. This is also very important as regards to compliance obligation. They should reference and cover a whole range of control areas including overall compliance with the ISMS as well as more specifically acceptable use, IPR ownership, return of assets etc.

Confidentiality, non-disclosure, and/or contractual agreements should also be reviewed when there are changes to terms of employment or contract, particularly when employees are due to leave the organization or contracts are due to expire. The organization should ensure that that all personnel employed are adequately bound to the confidentiality and non-disclosure requirements. Punitive and/or remedial action(s) to be taken if the employee disregards security requirements should also be clearly described in the terms and conditions. Such measures must be aligned with a formally documented disciplinary process. Casual staff and third-party users (such as volunteers) not already covered by an existing contract (containing the confidentiality agreement) should also be required to sign a confidentiality agreement prior to being given access to information processing facilities or information assets. The organization must establish agreements with equipment repairers to safeguard the confidentiality of information (and data) on equipment undergoing repair. Control includes, in the signed agreement:

  1. information about the scope of access and other privileges the person will have, with respect to the organization’s information and information processing facilities;
  2. information about the person’s responsibilities, under legal-regulatory-certificatory requirements and organizational policies, specified in that or other signed agreements
  3. as appropriate, information about responsibilities for classification of information and management of organizational information facilities that the person may use;
  4. as appropriate, information about the handling of sensitive information, both internal to the organization and that received from or transferred to outside parties;
  5. information about responsibilities that extend outside the organization’s boundaries (e.g., for mobile devices and teleworking);
  6. information about the organization’s responsibilities for the handling of information related to the person him/herself, generated in the course of employment, contractor or other third party relationship;
  7. actions that can be anticipated, under the organization’s disciplinary process, as a consequence of failure to observe security requirements.

This control may also include the provision of an organizational code of conduct or code of ethics to the employee, contractor, or third party. It may also include a requirement to sign, prior to being given access or other privileges to information or information processing facilities, a separate confidentiality or non-disclosure agreement; and/or acceptable use of assets agreement.

Code Of Conduct

Your firm could lose money if your workers casually share proprietary information with your competitors. Additionally, you could face lawsuits if employees fail to protect your client’s financial information. To avoid such issues, implement a company code of conduct. This HR document should include clear instructions for safeguarding sensitive information. Provide every employee with a copy of this policy and require every new hire to sign an agreement to abide by the code of conduct. Over time you might need to update or amend this document to accommodate the implementation of new processes or procedures. HR representatives are responsible for ensuring that employees are made aware of such changes.

Leave a Reply