Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
people Preventive Protect High Priority

A.6.6 Confidentiality or Non-Disclosure Agreements

M365 Admin Path: Control A.6.6 establishes formal confidentiality agreements for all personnel and external parties. External parties (B2B guests, suppliers, contractors) must accept a Terms of Use before accessing any organisational resources. This ToU is legally linked to signed NDAs and enforced via Conditional Access policy. Acceptance is logged per-user in Microsoft Entra.

Evidence Source: Microsoft Graph (Terms of Use, Conditional Access, User Acceptances)

What is A.6.6 Confidentiality or Non-Disclosure Agreements?

ISO 27001 control A.6.6 Confidentiality or Non-Disclosure Agreements ensures that all personnel and external parties granted access to non-public information are bound by formal, legally-binding confidentiality or non-disclosure agreements. The organisation implements contractual NDAs for external parties and enforces confidentiality obligations through Microsoft Entra Terms of Use policies for guests and Microsoft Purview Information Protection labels for classified data.

How to implement A.6.6 in Microsoft 365

Implement A.6.6 by developing comprehensive NDAs for external

Implement A.6.6 by developing comprehensive NDAs for external parties including suppliers, customers, contractors, and B2B partners with clear confidentiality obligations regarding classified information. Document authorised signatories matrix for standard agreements and negotiated variances.

Establish a secure

Establish a secure, version-controlled NDA repository in SharePoint Online with access restricted to Legal, HR, and Executive personnel. For external parties, require execution of binding legal agreement before Entra B2B guest account provisioning.

Create a Microsoft Entra Terms of Use policy

Create a Microsoft Entra Terms of Use policy for external and guest users reinforcing confidentiality obligations on first sign-in linked to Conditional Access.

What an auditor checks for A.6.6

  • Auditors will verify formal NDA agreements for external parties with execution dates and version control.
  • They will check authorised signatory documentation and sample signed agreements.
  • Auditors will review the secure NDA repository in SharePoint Online with version control and restricted access.
  • They will verify Microsoft Entra Terms of Use policies for external and guest users.
  • Auditors will check Conditional Access policies enforcing ToU acceptance for guest users.
  • They will review guest user acceptance records with timestamps and verify acceptance coverage rate of 95% or higher.

What your auditor expects for A.6.6

  • Microsoft Entra admin center > Protection > Conditional Access > Terms of use
  • Conditional Access > Policies

See how your organisation scores against A.6.6 and all 93 ISO 27001 controls.

Get Your Free Assessment

M365 capabilities that implement this control

Training Register & Capability Mapping Endpoint

Tracks professional development across the team in the Audit Agent — Microsoft certifications (AZ-500, SC-300, MS-700), vendor qualifications, and capability coverage mapping for workloads including Exchange, Intune, Sentinel, and Purview. Monitors training plans with target completion dates and flags single-point-of-failure risks where only one individual holds certification for a capability. Feeds into ISO 27001 A.6.3 and A.6.6 evidence alongside the awareness data.