Question regarding NDA
Would like to know whether the certified under ISO 27001 party should obtain from the employees of the outsourcer NDAs or the NDA between the outsourcer and the party is sufficient.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
By your question, I’m assuming that control A.13.2.4 Confidentiality or nondisclosure agreements are applicable to your scenario.
Considering that, the answer to this question will depend on the laws and regulations applicable to your jurisdiction, so you should consider hiring local legal expert advice.
For example, some laws and regulations may require an NDA only from the outsourcer organization, or that this NDA must be extended to individual NDAs to their employees.
This article may provide you a start on applicable laws and regulations, but note that these references depend on the contributions of our reader, and some of them can be outdated:
- Laws and regulations on information security and business continuity https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
For further information, see:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
Comment as guest or Sign in
Mar 12, 2021