Free Assessment
people Preventive Protect

A.6.6 Confidentiality or Non-Disclosure Agreements

M365 Admin Path: Control A.6.6 establishes formal confidentiality agreements for all personnel and external parties. External parties (B2B guests, suppliers, contractors) must accept a Terms of Use before accessing any organisational resources. This ToU is legally linked to signed NDAs and enforced via Conditional Access policy. Acceptance is logged per-user in Microsoft Entra.

Evidence Source: Microsoft Graph (Terms of Use, Conditional Access, User Acceptances)

What is this control?

ISO 27001 control A.6.6 Confidentiality or Non-Disclosure Agreements ensures that all personnel and external parties granted access to non-public information are bound by formal, legally-binding confidentiality or non-disclosure agreements. The organisation implements contractual NDAs for external parties and enforces confidentiality obligations through Microsoft Entra Terms of Use policies for guests and Microsoft Purview Information Protection labels for classified data.

How to implement in Microsoft 365

Implement A.6.6 by developing comprehensive NDAs for external parties including suppliers, customers, contractors, and B2B partners with clear confidentiality obligations regarding classified information. Document authorised signatories matrix for standard agreements and negotiated variances. Establish a secure, version-controlled NDA repository in SharePoint Online with access restricted to Legal, HR, and Executive personnel.

For external parties, require execution of binding legal agreement before Entra B2B guest account provisioning. Create a Microsoft Entra Terms of Use policy for external and guest users reinforcing confidentiality obligations on first sign-in linked to Conditional Access.

What an auditor looks for

Auditors will verify formal NDA agreements for external parties with execution dates and version control. They will check authorised signatory documentation and sample signed agreements. Auditors will review the secure NDA repository in SharePoint Online with version control and restricted access.

They will verify Microsoft Entra Terms of Use policies for external and guest users. Auditors will check Conditional Access policies enforcing ToU acceptance for guest users. They will review guest user acceptance records with timestamps and verify acceptance coverage rate of 95% or higher.