ISO 27001:2022 Annex A 5.14 – Information Transfer

Ownership of ISO 27001:2022 Annex A Control 5.14

The backing and acceptance of senior management is essential for the formation and execution of regulations, protocols, and contracts.

It is, however, imperative to have the collaboration and specialist knowledge of various players within the organisation, such as the legal staff, IT personnel, and top brass.

The legal team should ensure the organisation enters into transfer agreements that adhere to ISO 27001:2022 Annex A Control 5.14. Additionally, the IT team should be actively involved in specifying and executing controls for safeguarding data, as indicated in 5.14.

General Guidance on ISO 27001:2022 Annex A 5.14

Ensuring compliance with 5.14 requires the creation of rules, procedures and agreements, including a data transfer policy that is specific to the topic, and gives data in transit an appropriate protection level according to the classification it is assigned.

The level of security should be proportional to the importance and sensitivity of the data being sent. ISO 27001:2022 Annex A 5.14 also requires organisations to enter into transfer agreements with recipient third parties to ensure secure transmission of data.

ISO 27001:2022 Annex A Control 5.14 categorises transfer types into three groups:

• Electronic transfer.
• Physical storage media transfer.
• Verbal transfer.

Before progressing to detail the specific demands of each type of transfer, ISO 27001:2022 Annex A Control 5.14 outlines the elements that must be present in all regulations, procedures, and contracts pertaining to all three transfers in general:

• Organisations must determine appropriate controls based on the classification level of information in order to protect it while in transit from unauthorised access, alteration, interception, duplication, destruction and denial-of-service assaults.
• Organisations must keep track of the chain of custody while in transit and establish and carry out controls to guarantee the traceability of data.
• Specify who is involved in the data transfer and give their contact info, such as the data owners and the security personnel.
• In the event of a data breach, liabilities shall be allocated.
• Implement a labelling system to keep track of items.
• Ensuring the transfer service is available.
• Guidelines regarding the methods of information transfer should be developed according to specific topics.
• Guidelines for storing and discarding all business documents, including messages, must be followed.
• Examine the impact any applicable laws, regulations, or other obligations may have on the transfer.

Supplementary Guidance on Electronic Transfer

ISO 27001:2022 Annex A Control 5.14 details the specific content requirements for rules, procedures and agreements associated with the three types of transfers. The minimum content requirements must be adhered to across all three.

Rules, agreements and procedures should address the following considerations when transferring information electronically:

• The identification and thwarting of malware assaults is paramount. It is essential that you use the latest technology to detect and prevent attacks from malicious software.
• Ensuring the security of confidential information found in the attachments sent.
• Ensure communications are sent to the appropriate recipients by avoiding the risk of sending to the incorrect email address, address or phone number.
• Gain permission before beginning to utilise any public communication services.
• Stricter authentication methods should be employed when sending data via public networks.
• Imposing limits on the usage of e-communication services, e.g. prohibiting automated forwarding.
• Advise personnel to avoid using short message or instant message services to share sensitive data, as the content could be viewed by unauthorised individuals in public areas.
• Advise staff and other interested parties on the protection risks that fax machines may pose, such as unauthorised access or misdirecting messages to certain numbers.

Supplementary Guidance on Physical Storage Media Transfer

When information is physically shared, rules, procedures, and agreements should include:

• Parties are responsible for notifying each other of the transmission, dispatch and receipt of information.
• Ensuring the message is addressed correctly and sent appropriately.
• Good packaging eliminates the chance of damage to the contents during transit. For example, the packaging should be resistant to heat and moisture.
• A reliable, authorised courier list has been agreed upon by management.
• An overview of courier identification standards.
• For sensitive and critical information, tamper-resistant bags should be employed.
• Verifying the identities of couriers is important.
• This list of third parties, classified according to their level of service, provides transportation or courier services and has been approved.
• Record the time of delivery, authorised receiver, safety measures taken and confirmation of receipt at the destination in a log.

Supplementary Guidance on Verbal Transfer

Personnel must be made aware of the risks associated with exchanging information within the organisation or transmitting data to external parties, in accordance with ISO 27001:2022 Annex A Control 5.14. These risks include:

• They should refrain from discussing confidential matters in insecure public channels or in public areas.
• One ought not leave voicemails with confidential information due to the danger of replay by those not authorised, as well as the risk of re-routing to third parties.
• Individuals, both staff and other applicable third parties, should be screened prior to being granted admission to conversations.
• Rooms used for confidential conversations should be fitted with necessary soundproofing.
• Prior to engaging in any sensitive dialogue, a disclaimer should be issued.

Changes and Differences From ISO 27001:2013?

ISO 27001:2022 Annex A 5.14 supersedes ISO 27001:2013 Annex A 13.2.1, 13.2.2 and 13.2.3.

The two controls bear some resemblance, however two major distinctions make the requirements of 2022 more burdensome.

Specific Requirements for Electric, Physical and Verbal Transfers

Section 13.2.3 in the 2013 version covered the particular demands for the transmission of data by electronic messaging.

However, it did not specifically address the transmission of information through verbal or physical means.

In comparison, the 2022 version is precise in its identification of three types of information transfer, and outlines the necessary content for each of them individually.

ISO 27001:2022 Sets Stricter Requirements for Electronic Transfer

Section 13.2.3 of the 2022 Version sets out more stringent requirements for the content of electronic messaging agreements.

Organisations must detail and execute new regulations for digital transfers in the form of rules, procedures, and contracts for ISO 27001:2022.

For example, organisations should caution their staff against utilising SMS services when transmitting sensitive information.

Detailed Requirements for Physical Transfers

The 2022 version imposes stricter regulations on the physical transfer of storage media. For example, it is more thorough in its authentication of couriers and safeguards against different forms of damage.

Structural Changes

In the 2013 version, an explicit reference was made to the necessary requirements of information transfers agreements. However, the ‘Rules’ and ‘Procedures’ were not outlined in detail.

For ISO 27001:2022, specific criteria are outlined for each of the three approaches.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

How ISMS.online Helps

Implementing ISO 27001:2022 can be made simpler with our step-by-step checklist. It will guide you through the entire process from defining the scope of your ISMS to identifying risks and implementing controls.

Book your demonstration today. Appointments are available seven days a week, so schedule yours at a time that works for you.