ISO 27001:2022 Annex A Control 5.14

Information Transfer

Book a demo

group,of,happy,coworkers,discussing,in,conference,room

The purpose of ISO 27001:2022 Annex A 5.14 is to ensure the security of all user devices.

This means that measures must be taken to protect the devices from malicious software and other threats, as well as to maintain the confidentiality, integrity and availability of the data stored on them.

ISO 27001:2022 Annex A Control 5.14 mandates organisations to install the necessary rules, procedures, or contracts to maintain data security when shared internally or sent to external parties.

Ownership of ISO 27001:2022 Annex A Control 5.14

The backing and acceptance of senior management is essential for the formation and execution of regulations, protocols, and contracts.

It is, however, imperative to have the collaboration and specialist knowledge of various players within the organisation, such as the legal staff, IT personnel, and top brass.

The legal team should ensure the organisation enters into transfer agreements that adhere to ISO 27001:2022 Annex A Control 5.14. Additionally, the IT team should be actively involved in specifying and executing controls for safeguarding data, as indicated in 5.14.

100% of our users achieve ISO 27001 certification first time

Start your journey today
Book your demo

General Guidance on ISO 27001:2022 Annex A 5.14

Ensuring compliance with 5.14 requires the creation of rules, procedures and agreements, including a data transfer policy that is specific to the topic, and gives data in transit an appropriate protection level according to the classification it is assigned.

The level of security should be proportional to the importance and sensitivity of the data being sent. ISO 27001:2022 Annex A 5.14 also requires organisations to enter into transfer agreements with recipient third parties to ensure secure transmission of data.

ISO 27001:2022 Annex A Control 5.14 categorises transfer types into three groups:

  • Electronic transfer.
  • Physical storage media transfer.
  • Verbal transfer.

Before progressing to detail the specific demands of each type of transfer, ISO 27001:2022 Annex A Control 5.14 outlines the elements that must be present in all regulations, procedures, and contracts pertaining to all three transfers in general:

  • Organisations must determine appropriate controls based on the classification level of information in order to protect it while in transit from unauthorised access, alteration, interception, duplication, destruction and denial-of-service assaults.
  • Organisations must keep track of the chain of custody while in transit and establish and carry out controls to guarantee the traceability of data.
  • Specify who is involved in the data transfer and give their contact info, such as the data owners and the security personnel.
  • In the event of a data breach, liabilities shall be allocated.
  • Implement a labelling system to keep track of items.
  • Ensuring the transfer service is available.
  • Guidelines regarding the methods of information transfer should be developed according to specific topics.
  • Guidelines for storing and discarding all business documents, including messages, must be followed.
  • Examine the impact any applicable laws, regulations, or other obligations may have on the transfer.

Supplementary Guidance on Electronic Transfer

ISO 27001:2022 Annex A Control 5.14 details the specific content requirements for rules, procedures and agreements associated with the three types of transfers. The minimum content requirements must be adhered to across all three.

Rules, agreements and procedures should address the following considerations when transferring information electronically:

  • The identification and thwarting of malware assaults is paramount. It is essential that you use the latest technology to detect and prevent attacks from malicious software.
  • Ensuring the security of confidential information found in the attachments sent.
  • Ensure communications are sent to the appropriate recipients by avoiding the risk of sending to the incorrect email address, address or phone number.
  • Gain permission before beginning to utilise any public communication services.
  • Stricter authentication methods should be employed when sending data via public networks.
  • Imposing limits on the usage of e-communication services, e.g. prohibiting automated forwarding.
  • Advise personnel to avoid using short message or instant message services to share sensitive data, as the content could be viewed by unauthorised individuals in public areas.
  • Advise staff and other interested parties on the protection risks that fax machines may pose, such as unauthorised access or misdirecting messages to certain numbers.

Supplementary Guidance on Physical Storage Media Transfer

When information is physically shared, rules, procedures, and agreements should include:

  • Parties are responsible for notifying each other of the transmission, dispatch and receipt of information.
  • Ensuring the message is addressed correctly and sent appropriately.
  • Good packaging eliminates the chance of damage to the contents during transit. For example, the packaging should be resistant to heat and moisture.
  • A reliable, authorised courier list has been agreed upon by management.
  • An overview of courier identification standards.
  • For sensitive and critical information, tamper-resistant bags should be employed.
  • Verifying the identities of couriers is important.
  • This list of third parties, classified according to their level of service, provides transportation or courier services and has been approved.
  • Record the time of delivery, authorised receiver, safety measures taken and confirmation of receipt at the destination in a log.

Supplementary Guidance on Verbal Transfer

Personnel must be made aware of the risks associated with exchanging information within the organisation or transmitting data to external parties, in accordance with ISO 27001:2022 Annex A Control 5.14. These risks include:

  • They should refrain from discussing confidential matters in insecure public channels or in public areas.
  • One ought not leave voicemails with confidential information due to the danger of replay by those not authorised, as well as the risk of re-routing to third parties.
  • Individuals, both staff and other applicable third parties, should be screened prior to being granted admission to conversations.
  • Rooms used for confidential conversations should be fitted with necessary soundproofing.
  • Prior to engaging in any sensitive dialogue, a disclaimer should be issued.

Changes and Differences From ISO 27001:2013?

ISO 27001:2022 Annex A 5.14 supersedes ISO 27001:2013 Annex A 13.2.1, 13.2.2 and 13.2.3.

The two controls bear some resemblance, however two major distinctions make the requirements of 2022 more burdensome.

Specific Requirements for Electric, Physical and Verbal Transfers

Section 13.2.3 in the 2013 version covered the particular demands for the transmission of data by electronic messaging.

However, it did not specifically address the transmission of information through verbal or physical means.

In comparison, the 2022 version is precise in its identification of three types of information transfer, and outlines the necessary content for each of them individually.

ISO 27001:2022 Sets Stricter Requirements for Electronic Transfer

Section 13.2.3 of the 2022 Version sets out more stringent requirements for the content of electronic messaging agreements.

Organisations must detail and execute new regulations for digital transfers in the form of rules, procedures, and contracts for ISO 27001:2022.

For example, organisations should caution their staff against utilising SMS services when transmitting sensitive information.

Detailed Requirements for Physical Transfers

The 2022 version imposes stricter regulations on the physical transfer of storage media. For example, it is more thorough in its authentication of couriers and safeguards against different forms of damage.

Structural Changes

In the 2013 version, an explicit reference was made to the necessary requirements of information transfers agreements. However, the ‘Rules’ and ‘Procedures’ were not outlined in detail.

For ISO 27001:2022, specific criteria are outlined for each of the three approaches.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

How ISMS.online Helps

Implementing ISO 27001:2022 can be made simpler with our step-by-step checklist. It will guide you through the entire process from defining the scope of your ISMS to identifying risks and implementing controls.

Book your demonstration today. Appointments are available seven days a week, so schedule yours at a time that works for you.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.