No data security clause in existing employee and commercial contracts - should we send an addendum to all contracts?
I have assumed that it is recommended to have a clause referencing data security in employee and commercial contracts with suppliers and clients.
We therefore have an action to create a new standard contract for employees, suppliers and clients to include the new data security requirement.
However, my question is, what is the recommended approach for existing employees, suppliers and clients who’s contracts do not include the necessary data security clause. Should we be sending an addendum to the contracts? Is it recommended that we do this as part of our ‘treatment’ action on the data security risk that employees, suppliers and clients alike pose to our business.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Any treatment action to be taken about the current contracts will depend on the results of risk assessment (i.e., there are relevant risks which treatment can be made by making an addendum to the contracts? To which contracts this will be applicable) and applicable legal requirements (e.g., laws or regulations may require such addendum to be made).
Most probably you will need to send an addendum to some or all the contracts, but you need to decide that based on risk assessment and applicable legal requirements. This is the whole idea about adopting an information security management system (you have factual information and clear impacts about doing nothing to decide what to do).
For further information, see:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Comment as guest or Sign in
Sep 11, 2020