NDAs and non-competition clauses

Is this clause mandatory for ISO 27001 compliance ? Can it be avoided ? Is there any best/shared practices how to successfully implement this without forcing an employees to sign non-competion clause or non-disclosure agreement after end of the contract? *(as i outlined – this can be rather costly wi th increased attrition..)

Answer:

Control A.7.3.1 is not about non-competition clauses, it is about how to close/change the access to systems and data after an employee leaves the company, or changes his/her position within the company.

Non-competition clauses and NDAs are normally defined as part of control A.7.1.2 Terms and conditions of employment. If you want to avoid non-competition clause and you are afraid that particular employee might abuse the information when starting to work for the competition, then you should not allow this employee to access your most sensitive information and/or your business model should be developed in such way that its competitiveness cannot be threatened solely by information leakage.

Any control can be avoided, i.e. declared non-applicable - this must be done in the Statement of Applicability, based on the results of the risk assessment - here are the articles that explain the details:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/