The ISO27001 requires that you review your contracts on a yearly base and that your contracts will include ISMS topics if relevant to stakeholder.
We advise to add templates of contracts to this section – not the actual contracts – keep those in your documentation storage tool (google, MSOffice, dropbox etc.) .
Make sure you have 1 folder with all your contracts – to have good overview and use different folders for different types of contracts (or stakeholders). Limit the access to these contract within your organizations. The external auditor can ask during the audit to view 1 or 2 contracts (samples).
In the meantime you will keep (copies of) your templates in Compleye Online and review on a yearly base. Examples of contract templates: Temporary Labor Contract, Labor Contract – permanent, Commercial Contract, T&C or SLA with customers, NDA, Confidentiality Agreement, Supplier Agreement, Freelancer Agreement, Data Protection Agreements, Research Agreement, Data Transfer Agreement etc.
If you work with large-scale companies, you are probably not using your own commercial contracts. The legal/procurement department of your customer will draft a contract that you will need to review – before signing. Read always carefully. Maybe you will need to comply with additional requirements (above your own SLA or ISO 27001 standard). Do not add these contracts to this section. What you can do is add those specific requirements in the section Legal & Compliance by adding a new stakeholder ( name of your large-scale customer) with that specific requirement. You can also choose to adopt these requirements and change them in your own SLA for all of your customers.
Tip for Labour Contracts – ISO 27001 requirements
Standard Labor contract needs to include separate section/article on ISMS and confidentiality during and after the employment needs to be addressed clearly. Below are suggestions that can be implemented directly to the Labor contract.
- Paragraph on Information Security Management System (ISMS) and the remark on disciplinary measures in case of non-compliance.
- Employer has implemented an ISMS (Information Security Management System) and every Employee must act in accordance with the Security and Compliance rules. IT Security and compliance briefing is part of the onboarding process and is subject to change as the business grows and security rules change accordingly.
- Employee should be aware that a failure to comply with the policy, including any arrangements which are put in place under it, will be investigated and may lead to disciplinary action being taken by the Employer or appropriate external authorities.
- Check/add to the section of the Labor contract addressing the confidentiality during and after the employment:
“The Employee is obliged, both during and after termination of the employment, to maintain strict confidentiality with regard to all matters and particulars concerning the company of the Employer, his director / management and / or associates, which he or she by means of his employment was familiar with. data subject in accordance with the applicable laws.”
Do not forget that the above mentioned topics also should be addressed for contracts with freelancers and your outsourced development partners.
|Stakeholders||select from the drop down menu the stakeholder that applies to your organisation||end user, customer, shareholder, advisory board, Employees, Suppliers, Tech Teams, Installers, Third Parties|
|Type of Contract||free text field||Temporary Labour Contract, Labour Contract – permanent, Commercial Contract, T&C or SLA with customers, NDA, Confidentiality Agreement, Supplier Agreement, Freelancer Agreement, Data Protection Agreements, Research Agreement, Data Transfer Agreement etc.|
|Remarks||free text field|