ISO 27001 employment terms and conditions

A good way to ensure people understand their roles and responsibilities within an organisation is by defining clear policies and procedures. However, policies only apply once individuals are already working within the organisation and have access to its information.

This raises an important question: how do organisations ensure information is protected when new employees or contractors are introduced into the business?

Before individuals gain access to systems, data or facilities, organisations must ensure they understand their information security responsibilities. One effective way to achieve this is through clearly defined security terms and conditions within employment agreements.

Terms and conditions of employment are the general rules by which employers and employees, or contractors working on behalf of an organisation, agree to perform work or activities.

These agreements are usually presented during the pre-employment stage and may appear within documents such as employment contracts, contractor agreements or general terms and conditions of employment.

Traditionally, these documents focus on areas such as working hours, remuneration, workplace expectations and employment conditions.

However, with the increasing importance of protecting sensitive information, organisations should also include specific clauses relating to information security.

Including security responsibilities within employment agreements can help address areas such as confidentiality obligations, data protection responsibilities, acceptable use of company systems and facilities, and adherence to organisational security practices.

By defining these responsibilities early in the employment relationship, organisations strengthen their ability to prevent incidents and establish a clear legal foundation should information security violations occur.

ISO 27001 does not prescribe the exact wording or structure of employment agreements. Instead, the standard focuses on ensuring that responsibilities for information security are clearly defined and communicated.

This requirement is addressed within Annex A control A.7.1.2 – Terms and conditions of employment, which aims to ensure that employees, contractors and the organisation itself understand their responsibilities for protecting information.

Organisations generally approach this requirement in one of three ways.

Option 1 – Include full policy content

The full content of relevant information security policies can be included directly within employment agreements.

While this provides comprehensive coverage, it can also make the agreement lengthy and difficult to read, reducing its practical effectiveness.

Option 2 - Include summarised security expectations

Another option is to summarise the organisation’s key security principles within the agreement, for example through a code of conduct.

Shorter summaries are easier to read, but if overly simplified they may omit important details that individuals only encounter later when reviewing full policies.

Option 3 – A balanced approach

A more practical approach is to combine full and summarised information security requirements.

High-risk areas identified through risk assessment may be described in greater detail, while lower-risk policies can be summarised within the agreement.

This approach provides a good balance between clarity, usability and effective information protection.

When summarising information security expectations within employment agreements, guidance from ISO 27002 can be helpful. This supporting standard provides additional recommendations for implementing the Annex A controls.

At a minimum, organisations should consider including the following areas.

• Conditions for granting access to sensitive information, such as signing confidentiality or non-disclosure agreements before access is granted.

  
  

• Legal responsibilities relating to data protection, privacy legislation and intellectual property protection.

  
  

• Responsibilities for classifying, handling and protecting information assets belonging to the organisation or third parties.

  
  

• Actions that may be taken if information security requirements are violated, including disciplinary procedures or legal action.

In some cases, these obligations should also continue after the employment relationship ends. For example, employees involved in confidential projects may still be required to protect information until it becomes publicly available.

Interestingly, many information security incidents are not caused by deliberate attacks but by a lack of awareness regarding responsibilities and expected behaviour.

Clearly defined employment terms relating to information security help ensure individuals understand how to handle sensitive information from the very beginning of their working relationship.

This approach helps reduce accidental incidents, improves organisational awareness and provides legal protection where security rules are breached.

When combined with the broader framework of ISO 27001, employment agreements become an important part of a structured approach to managing information security across the organisation.

If your organisation is considering ISO 27001 certification or reviewing how information security responsibilities are defined within employment agreements, structured guidance can make the process far more straightforward.

You can learn more about our practical approach to ISO 27001 consultancy here.