ISO/IEC 27001 Control 6.6: Confidentiality or non-disclosure agreements

Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.

MidPoint is optional for implementation of this control.

Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.

Information classification and clearance mechanism can be used to enforce the presence of appropriate agreements.

Clearances can be used to represent appropriate confidentiality and non-disclosure agreements (NDA). Archetypes and organizations may be used to imply a clearance, e.g. in case that all employees or all members of an organizational unit have equivalent non-disclosure clause in their contracts. Policy rules can be used to limit access to sensitive applications in such a way that a valid NDA is required to grant access to them. Access certification and micro-certification mechanisms can be used to initiate check of a user (supplier), to verify whether the latest valid version of NDA is signed. Reporting capabilities can be used to analyze and review the state of the agreements granted as clearances. Audit trail and assignment meta-data can be used to review history of assignment of clearances.

MidPoint cannot handle the contractual details of confidentiality and non-disclosure agreements, as required by the control. However, midPoint can enforce the presence of appropriate agreement before access is granted to information that requires it.