Background
----------

ISO/IEC 27002:2022 clause 6.2 indicates that "The employment contractual agreements should state the personnel’s and the organization’s responsibilities for information security [in order] to ensure personnel understand their information security responsibilities for the roles for which they are considered."


Policy statements
-----------------

1.	Employment and service contracts should align with the organisation's information security policies and applicable laws.

2.	As a condition of employment, information risk and security-related roles and responsibilities should be clearly laid out and accepted e.g. before being granted access to highly confidential data, workers should sign non-disclosure agreements.

3.	Information security-related bligations that persist after workers leave the organisation should be clarified as part of the exit process e.g. maintaining confidentiality of trade secrets and personal information.


Notes
-----

This is a “skeleton” policy providing just the bare bones, the basic foundations on which to construct a custom policy for your organisation.  Jump-start the process by visiting www.SecAware.com for a more comprehensive customisable policy template in MS Word.