Control 6.2 : Terms and Conditions of Employment

Summary

Contractual agreements with employees and contractors should state their responsibilities for information security. This ensures that legal and security expectations are established and enforceable from the start of the relationship.

Applicability

In-Scope: Mandatory for defining the legal relationship between the individual and the organization regarding data protection. It provides the basis for disciplinary action in the event of a security breach.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Policy Acceptance: Use Entra ID Terms of Use to require employees to acknowledge their security obligations digitally every time they sign in or on a recurring basis.

• Digital Archiving: Store signed employment contracts and non-disclosure agreements (NDAs) in a secure, encrypted SharePoint document library.

• Automated Compliance: Use Microsoft Purview to track the expiration of specific contractual obligations, such as confidentiality agreements for temporary contractors.

Evidence Checklist

• Employment Contracts: Templates of contracts containing specific clauses regarding information security and confidentiality.

• Non-Disclosure Agreements (NDAs): Signed records for all staff and contractors with access to proprietary data.

• Terms of Use Logs: Reports from Entra ID showing that users have accepted the organization's digital terms.

Practical Audit Advice

Here are some questions the auditor might ask:

• Do your employment contracts explicitly mention the responsibility to protect intellectual property even after the employee leaves the organization?

• How do you ensure that temporary staff or contractors are bound by the same security terms as full-time employees?

• What is the process for updating employment terms if a significant change in security policy or law (e.g., Law 25) occurs?

• Can you demonstrate that all current employees have a signed confidentiality agreement on file?