In the 2013 revision of ISO 27001, Annex A provides for specific control (A13.2.14) for confidentiality or non-disclosure agreements and requires that agreements „reflect the needs of the organization for the protection of information that needs to be identified, regularly reviewed and documented.“ „How should we know that one of their employees was doing something messy? How would we realistically monitor progress? raises the delicate issue of compliance. An NDA doesn`t magically secure or enforce anything – the parties have to do it, which means they have to do the monitoring and verification. Unfortunately, most of the NDAs I`ve been involved in (including, I must admit, my own) are considered an end in themselves. As a business facilitator, their value lies in providing a formal basis for the exchange of valuable information and a mutual understanding of sensitivity. They act as a preventive control, but should really be supported by a number of other controls (e.g. B common classification markings, as well as awareness-raising, monitoring and compliance activities). Lawyers, who are usually only too happy to help draft actual agreements, seem to evaporate when asked to help with the rest, so this is where information security professionals, client advisors and business people come in. Policies, procedures and standards should be defined and maintained to protect information and physical media in transit and should be referenced in these transmission agreements. Confidentiality and non-disclosure agreements would comply with all laws and integrity codes applicable to them.

ISO 27002 refers to implementation considerations, including notification considerations, traceability, trust, identification standards, chain of custody, cryptography, access control and others. Implementation Guide – The obligation to protect confidential information through law enforcement should be met through confidentiality or confidentiality agreements. The rules of confidentiality or confidentiality apply to third parties or employees of the organization. Given the nature of the other party and the access to or treatment of authorized confidential information, the elements must be selected or added. To determine confidentiality requirements or confidentiality agreements, additional elements may be added during the confidentiality or confidentiality agreement, depending on an organization`s information security requirements. Good control describes how confidentiality or confidentiality requirements that meet the organization`s information protection needs should be identified, regularly reviewed, and documented. Therefore, the organization must ensure that all information that needs to be protected is obtained through confidentiality and confidentiality agreements. Agreements on the transmission of information should include: (a) the responsibilities of the administration for monitoring and reporting on transmission, transit and receipt; (b) procedures to ensure traceability and impertinence; (c) minimum technical standards for packaging and transmission; (d) fiduciary arrangements; (e) standards for the identification of couriers; (f) Responsibilities and responsibilities in the event of information security incidents, such as.B.

loss of data. B; (g) the use of an authorised labelling system for sensitive or critical information in order to ensure that the meaning of the labels is immediately understood and that the information is properly protected; (h) technical standards for recording and reading information and software; (i) any specific controls necessary to protect sensitive objects such as cryptography; (j) maintain a chain of information managers during transit; (k) an acceptable level of access control. Other Information – Confidentiality and non-disclosure agreements protect corporate information and inform signatories in an authorized and responsible manner of their responsibility to protect the use and disclosure of information. The provisions on confidentiality and non-disclosure agreements should be reviewed regularly and those conditions should be affected in the event of a change. Non-disclosure agreements can be more than a gentleman`s agreement, but only if the parties do it that way. I believe that NDAs fall into a fictitious spectrum ranging from trivial/random NDAs that are not worth the paper on which they are written (if written at all) to formally executed and legally binding NDAs or contracts supported by a number of appropriate processes and controls. Management has many options along the way as to what kind of NDA they want/need. „Using to implement ISO 27001 has been a breath of fresh air. Previously, we documented our ISMS via Word and Excel, which was far from ideal. It is easy to use and has many interesting features, which in fact, it has become a really valuable tool for businesses. Information can be transmitted digitally or physically, and agreements must focus on the secure transfer of business information between the organization and external parties. Formal transmission policies and engineering controls should be selected, implemented, operated, monitored, audited and reviewed to ensure effective and ongoing security protection.