When information is transferred to internal or external parties, it creates a heightened risk to the confidentiality, integrity, availability, and security of information transmitted.
Control 5.14 entails the requirements that organisations must satisfy to maintain the security of data when it is shared internally or when it flows out of the organisation to third parties.
Control 5.14 is a preventive type of control that requires organisations to put in place appropriate rules, procedures, and/or agreements to maintain the security of data when it is shared within an organisation or when transmitted to third parties.
Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
---|---|---|---|---|
#Preventive | #Confidentiality #Integrity #Availability | #Protect | #Asset Management #Information Protection | #Protection |
While the development and implementation of rules, procedures, and agreements require the support and approval of high-level management, the cooperation and expertise of different stakeholders within an organisation, including the legal team, IT staff, and upper management, is of critical importance.
For instance, the legal team should ensure that the organisation enters into transfer agreements with third parties and that these agreements are in line with the requirements specified in Control 5.14. Likewise, the IT team should take an active part in defining and implementing controls to maintain the security of data as set out in 5.14.
Compliance with 5.14 entails the development of rules, procedures, and agreements, including a topic-specific information transfer policy, that provides data in transit with a level of protection appropriate to the classification assigned to that information.
In other words, the level of protection should match the level of criticality and sensitivity of information transmitted.
Furthermore, Control 5.14 specifies that organisations must sign transfer agreements with recipient third parties to guarantee secure transmission of data.
Control 5.14 groups the types of transfer into three categories:
Before, moving on to describe the specific requirements for each type of transfer, Control 5.14 lists the elements that must be included in all rules, procedures, and agreements for all three types of transfers in general:
After listing the minimum content requirements for rules, procedures, and agreements common across all three types of transfer, Control 5.14 lists specific content requirements for each type of transfer.
Rules, agreements, and procedures should address the following issues when information is transferred electronically:
We’ll give you an 81% headstart
from the moment you log in
Book your demo
When information is shared via physical means such as papers, the rules, procedures, and agreements should cover the following:
Control 5.14 states that when personnel exchange information within the organisation or when they transmit data to external parties, they should be informed of the following risks:
27002:2022/5.14 replaces 27002:2013/(13.2.1, 13.2.2. 13.2.3).
While the two controls are similar to some extent, two key differences make the 2022 version’s requirements more onerou.
In the 2013 version, section 13.2.3 addressed the specific requirements for the transfer of information via electronic messaging.
However, it did not separately address the transfer of information via verbal or physical manner.
In contrast, the 2022 version clearly identifies three types of information transfer and then sets out the content requirements for each of them separately.
While section 13.2.3 contained specific requirements for the content of agreements for electronic messaging, the 2022 Version imposes stricter obligations on organisations.
The 2022 Version requires organisations to describe and implement new controls in the rules, procedures, and agreements for electronic transfers.
For instance, organisations should advise their employees not to use SMS services when they include sensitive information.
The 2022 version sets more stringent requirements on the physical storage media transfer. For instance, its requirements are more comprehensive in respect of authentication of couriers and the types of damages that should be prevented.
In the 2013 version, there was an explicit reference to specific requirements for agreements for information transfers. However, the ‘Rules’ and ‘Procedures’ were not addressed specifically.
In contrast, the 2022 version sets out the specific requirements for each of these three mechanisms.
ISO 27002 implementation is simpler with our step-by-step checklist that guides you through the whole process, from defining the scope of your ISMS through risk identification and control implementation.
Get in touch today to book a demo.
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
5.7 | New | Threat intelligence |
5.23 | New | Information security for use of cloud services |
5.30 | New | ICT readiness for business continuity |
7.4 | New | Physical security monitoring |
8.9 | New | Configuration management |
8.10 | New | Information deletion |
8.11 | New | Data masking |
8.12 | New | Data leakage prevention |
8.16 | New | Monitoring activities |
8.23 | New | Web filtering |
8.28 | New | Secure coding |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
6.1 | 07.1.1 | Screening |
6.2 | 07.1.2 | Terms and conditions of employment |
6.3 | 07.2.2 | Information security awareness, education and training |
6.4 | 07.2.3 | Disciplinary process |
6.5 | 07.3.1 | Responsibilities after termination or change of employment |
6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
6.7 | 06.2.2 | Remote working |
6.8 | 16.1.2, 16.1.3 | Information security event reporting |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
7.1 | 11.1.1 | Physical security perimeters |
7.2 | 11.1.2, 11.1.6 | Physical entry |
7.3 | 11.1.3 | Securing offices, rooms and facilities |
7.4 | New | Physical security monitoring |
7.5 | 11.1.4 | Protecting against physical and environmental threats |
7.6 | 11.1.5 | Working in secure areas |
7.7 | 11.2.9 | Clear desk and clear screen |
7.8 | 11.2.1 | Equipment siting and protection |
7.9 | 11.2.6 | Security of assets off-premises |
7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
7.11 | 11.2.2 | Supporting utilities |
7.12 | 11.2.3 | Cabling security |
7.13 | 11.2.4 | Equipment maintenance |
7.14 | 11.2.7 | Secure disposal or re-use of equipment |