Overview
ISO 27001 Control A.6.6 requires that confidentiality or non-disclosure agreements reflecting the organisation’s needs for protecting information are identified, documented, regularly reviewed, and signed by personnel and relevant external parties. Auditors check for signed agreements on file, coverage across all personnel categories, and evidence of periodic review.
This skill produces two artifacts: a reusable NDA/confidentiality agreement template (covering both employee and third-party scenarios) and a tracking register that records who signed what, when, and when it’s due for review. Validation tools check that the template includes all legally required clauses and that the register covers every personnel category in the organisation.
For a step-by-step walkthrough of how this skill fits into the full ISMS flow, see the ISO 27001 ISMS workspace tutorial .
What It Covers
- Agreement template — covers definition of confidential information, obligations, exclusions, duration, return/destruction, remedies, governing law, permitted disclosures, and IP provisions
- Personnel categories — employees, contractors, third-party suppliers, interns/trainees, board members, and external advisors
- Tracking register — records signatory, agreement type, date signed, scope, expiry, status, and review schedule
- Coverage analysis — cross-references the organisation profile to ensure no personnel category is missing signed agreements
- Regular review — enforces review frequency aligned with the ISMS monitoring calendar per A.6.6
Example Conversation
You: We need to create NDA templates and a tracking register for our ISO 27001 certification. We’re a SaaS company with 45 employees, plus contractors and third-party vendors like GCP, Okta, and Stripe.
Agent: I’ll create both artifacts per Control A.6.6. Let me load your organization profile to identify all personnel categories that need confidentiality agreements.
From the profile, I see three categories: employees (45), contractors (referenced in departments), and third-party suppliers (GCP, Okta, Stripe, SendGrid). I’ll draft the NDA template first.
I’ve drafted the confidentiality agreement template covering both employee and third-party scenarios. Let me validate it.
Running nda_clause_validator…
RESULT: PASS — All 10 required clauses found:
- Definition of confidential information — FOUND
- Obligations of receiving party — FOUND
- Exclusions from confidentiality — FOUND
- Duration of obligations — FOUND
- Return or destruction of materials — FOUND
- Remedies for breach — FOUND
- Governing law and jurisdiction — FOUND
- Permitted disclosures — FOUND
- IP non-transfer disclaimer — FOUND
- Signatures/execution block — FOUND
Now let me draft the tracking register and validate coverage.
Running nda_register_completeness_check with org profile cross-reference…
RESULT: PASS — 8 entries validated, all required fields present.
Personnel coverage: Employees (Maria Santos, João Silva, + 43 others), Contractors (2 entries), Third-party suppliers (4 entries: GCP, Okta, Stripe, SendGrid). All categories from the organization profile are covered.
You: What about board members? We have 3 external board members.
Agent: Good catch — A.6.6 requires agreements from anyone with access to confidential information. I’ll add entries for the 3 board members with “Board Member” as the category and scope limited to board materials and strategic information. Let me re-run the completeness check… PASS. All personnel categories now covered.
Sample Output Excerpt
Below is a representative excerpt from a generated NDA tracking register showing entries across different personnel categories.
NDA Tracking Register (excerpt)
| Name / Entity | Role / Category | Agreement Type | Date Signed | Scope | Expiry Date | Status | Notes |
|---|---|---|---|---|---|---|---|
| Maria Santos | Employee — CISO | Employee Confidentiality Agreement | 2025-06-15 | All ISMS information, customer data, security controls, audit findings | 2026-06-15 | Active | Annual review due |
| João Silva | Employee — CTO | Employee Confidentiality Agreement | 2025-06-15 | All ISMS information, source code, infrastructure credentials | 2026-06-15 | Active | Annual review due |
| DataTech Consulting | Contractor — Security Assessor | Third-Party NDA | 2026-01-10 | Penetration test findings, vulnerability data, network architecture | 2027-01-10 | Active | Engagement-specific |
| GCP (Google Cloud) | Third-Party Supplier — IaaS | Supplier Confidentiality (via DPA) | 2025-03-01 | Customer data processing, infrastructure configuration | 2026-03-01 | Active | DPA §7 covers confidentiality |
| Pedro Lima | Board Member | Board Confidentiality Agreement | 2026-02-01 | Board materials, strategic plans, financial data | 2027-02-01 | Active | Limited scope |
Coverage Summary
| Category | Total | Signed | Coverage |
|---|---|---|---|
| Employees | 45 | 45 | 100% |
| Contractors | 2 | 2 | 100% |
| Third-Party Suppliers | 4 | 4 | 100% |
| Board Members | 3 | 3 | 100% |
Extension Tools
nda_clause_validator
Validates the NDA template against 10 required legal clauses using pattern matching:
| # | Clause | What It Checks |
|---|---|---|
| 1 | Definition of confidential information | Clear scope of what constitutes confidential information |
| 2 | Obligations of receiving party | Duty to protect, restrict use, limit disclosure |
| 3 | Exclusions from confidentiality | Standard carve-outs (public domain, independent development, prior knowledge) |
| 4 | Duration / term | Time-bound obligations with defined period |
| 5 | Return or destruction | Requirement to return or destroy materials upon termination |
| 6 | Remedies for breach | Injunctive relief, indemnification, or damages provisions |
| 7 | Governing law and jurisdiction | Applicable legal framework and dispute resolution venue |
| 8 | Permitted disclosures | Legal or regulatory compulsion exceptions with notice requirement |
| 9 | IP non-transfer disclaimer | No IP rights transferred by disclosure (ISO 27002 §6.6 alignment) |
| 10 | Signatures / execution | Execution block for both parties |
nda_register_completeness_check
Validates each register entry and cross-checks personnel coverage:
- Per-entry validation: name/entity, agreement type, date signed (format and future-date check), scope, expiry date, status — all must be non-empty and non-placeholder
- Date validation: emits WARNING for unrecognisable date formats or dates in the future
- Organisation profile cross-check (when available): verifies that employees, contractors, and third-party suppliers from the profile all have corresponding register entries
- Coverage report: lists covered and uncovered personnel categories with counts
Getting Started
Activate the ISO 27001 Confidentiality & NDA Agreements skill. If you’ve completed the Organization Profile skill, load it — the agent uses your personnel categories, suppliers, and jurisdictions to ensure full coverage.
Have this information ready:
- Personnel categories that handle confidential information (employees, contractors, board members)
- Third-party suppliers with access to your systems or data
- Your organisation’s governing law jurisdiction
- Any existing NDA templates or signed agreements
- Specific confidentiality requirements from regulations (e.g., LGPD, GDPR)
The agent produces both a reusable template and a tracking register, validates clause coverage and personnel completeness, and flags any gaps before an auditor does.