ISO 27001:2022 A 6.6 Confidentiality or non-disclosure agreements

A non-disclosure agreement (NDA), also known as a confidentiality agreement, is a legally binding contract in which one party usually the organization agrees to give a second party ( employees, vendors, contractors) confidential information about its business or products and the second party agrees not to share this information with anyone else for a specified period of time. NDAs are used to protect sensitive information and intellectual property (IP) by outlining in detail what information must remain private and what information can be shared or released to the public. NDAs are typically signed at the beginning of a business relationship. The information covered by a NDA can be unlimited, ranging from test results to system specifications to customer lists and sales figures. If the NDA is broken and information is leaked, it is considered a breach of contract.

Key elements of a NDA include:

  • Identification of the participants
  • Definition of what is considered to be confidential
  • Duration of the confidentiality commitment
  • Exclusions from confidential protection


Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.


To maintain confidentiality of information accessible by personnel or external parties.

ISO 27002 Implementation Guidance

Confidentiality or non-disclosure agreements should address the requirement to protect confidential information using legally enforceable terms. Confidentiality or non-disclosure agreements are applicable to interested parties and personnel of the organization. Based on an organization’s information security requirements, the terms in the agreements should be determined by taking into consideration the type of information that will be handled, its classification level, its use and the permissible access by the other party. To identify requirements for confidentiality or non-disclosure agreements, the following elements should be considered:
a) a definition of the information to be protected (e.g. confidential information);
b) the expected duration of an agreement, including cases where it can be necessary to maintain confidentiality indefinitely or until the information becomes publicly available;
c) the required actions when an agreement is terminated;
d) the responsibilities and actions of signatories to avoid unauthorized information disclosure;
e) the ownership of information, trade secrets and intellectual property, and how this relates to the protection of confidential information;
f) the permitted use of confidential information and rights of the signatory to use the information;
g) the right to audit and monitor activities that involve confidential information for highly sensitive circumstances;
h) the process for notification and reporting of unauthorized disclosure or confidential information leakage;
i) the terms for information to be returned or destroyed at agreement termination;
j) the expected actions to be taken in the case of non-compliance with the agreement.
The organization should take into consideration the compliance with confidentiality and non-disclosure agreements for the jurisdiction to which they apply .
Requirements for confidentiality and non-disclosure agreements should be reviewed periodically and when changes occur that influence these requirements.

Other information

Confidentiality and non-disclosure agreements protect the organization’s information and inform signatories of their responsibility to protect, use and disclose information in a responsible and authorized manner.

Confidentiality or non-disclosure agreements are legally enforceable documents designed to protect your organization’s confidential information and intellectual property. These agreements, signed by the organization and its employees and/or third parties, establish the responsibilities of all parties to ensure that no one discloses sensitive data in an unauthorized manner. These agreements can be used in a wide range of situations, including:

  1. Employment – A confidentiality agreement may be part of the employment contract for a new employee. The agreement ensures that the employee does not disclose any confidential information about the company, its products or services, employees or vendors. Non-disclosure agreements are also used by businesses to prevent their employees from disclosing sensitive information after they leave their jobs.
  2. Business transactions – Confidentiality agreements are often included in business transactions, such as purchasing a company, merging with another company or selling a business. The purpose of these agreements is to prevent both parties from disclosing any confidential information obtained during the transaction.
  3. Partnerships – Confidentiality agreements are often used in business transactions when one party wants to protect its existing relationships with customers or suppliers from being disclosed to a new partner. For example, if a company is seeking funding from venture capitalists, it may ask those investors to sign NDAs in order to protect proprietary information about the company’s products or services.
  4. Partnerships often include confidentiality clauses as part of their partnership agreement so each partner agrees not to disclose any confidential information obtained during their partnership.

Confidentiality agreements are entered into by individuals and businesses alike. They have many purposes, such as:

  • Protecting trade secrets and proprietary information from competitors who might otherwise use it against them;
  • Preventing an employee from sharing sensitive company information with another company; and
  • Protecting intellectual property (IP) rights like patents and copyrights.

A good control describes how the requirements for confidentiality or non-disclosure agreements that reflect the organization’s needs for the protection of information must be identified, regularly reviewed and documented. As such the organization needs to ensure that any information that needs to be protected, is done so through the use of confidentiality and non-disclosure agreements. Agreements are usually specific to the organization and should be developed with its control needs in mind following the risk analysis work. Standard agreements for confidentiality and non-disclosure that may warrant consideration here include:

  1. General non-disclosure and mutual non-disclosure agreements e.g. when sharing sensitive information e.g. about new business ideas.
  2. Customer agreements using standard terms and conditions – expressing confidentiality within the context of the use of products sold and any complimentary services outlined in a related order form.
  3. Associate/supplier/partner agreements used for small suppliers and independent service providers who the organization use for delivery of services.
  4. Employment-related terms.
  5. Privacy policies e.g. from email footers.

Good non-disclosure agreements are usually no more than a few pages long. But there are a few basic important elements.

  • The names of the parties to the agreement
  • Definition of what is considered confidential information in the case
  • Any exceptions to confidentiality
  • A statement of the appropriate use of the information to be disclosed
  • Miscellaneous provisions
  • Term of the agreement
  • Consequences of violating a nondisclosure agreement

To make NDA

  1. First, it is necessary to identify the owner of confidential data, since the contract is concluded on his behalf. The contract must be concluded precisely by the right holder, otherwise, it will have no legal effect
  2. It is necessary to clarify what constitutes information disclosure. For example, selling the data, giving it to third parties, and so on
  3. It is better to conclude an NDA with outsourced employees who have access to important information for the company
  4. It is worth defining at once the ways of transferring confidential information
  5. Also, define a list of confidential information and that this data is the property of the company-owner, and indicate that the information is transmitted only for business purposes
  6. It must be specified that the recipient of the data must take all measures to protect it
  7. It is appropriate to set the term of the NDA so that even after the termination of cooperation the data will be confidential
  8. And it is desirable to specify the sanctions for violation of the nondisclosure agreement

Leave a Reply