**Terms and conditions of employment**\\ ^ Control type ^ Information Security Properties ^ Cybersecurity concepts ^ Operational capabilities ^ Security domains ^ | Preventative | Confidentiality, Integrity Availability | Protect | HR security | Governance and ecosystem | **Definition**\\ The employment contractual agreements should state the personnel’s and the organizations responsibilities for information security. **What to include in the employment contract**\\ The following can be considered: • NDA, non-disclosure agreements • confidentiality agreements • legal rights **Additional guidance**\\ • Classification of information • management of information • management of assets • information processing facilities • information services • handling information you get from third parties and interested parties • what actions will be taken if you don’t follow the information security requirements **Communication**\\ You will communicate roles and responsibilities for information security during the pre-employment phase of your process. **Agreement**\\ Information security requirements should be agreed which usually is the case of the employee signing the contract and you having a copy of the contract on file. **Appropriateness of terms**\\ You want to make sure that any terms and requirements are appropriate to the person, their role, what they do and the access they have. **Review of terms**\\ As a process of continual improvement be sure to review the terms you have, especially if you change your policies or the laws, or regulations change. **Non-Disclosure Agreement**\\ There are certain things that will remain in place after employment and this is usually defined for a set period of time. Consider things like an non-disclosure agreement and confidentiality agreement that you may want in place for 12 months post-employment ending. **Employee hand book /code of conduct**\\ Having an employee hand book or code of conduct is a fantastic way to share and communicate information security responsibilities and key messages and I have seen this work well in many organizations. **Employees that come from agency / third party**\\ If you have employees that you do not employ directly but rather you use and agency of third party then the agency of third party should really enter into a contract on behalf of those people.