ISO 27701 – Clause 6.10.2 – Information Transfer

Ensuring Secure Information Transfers: ISO 27701 Clause 6.10.2 Explained

Information is often at its most vulnerable when it is being transferred from one location to another – either physically, digitally or verbally.

Organisations need to safeguard PII that is in transit, and provide employees and suppliers with a clear set of guidelines on how to conduct themselves when moving information from one source to another.

What’s Covered in ISO 27701 Clause 6.10.2

ISO 27701 clause 6.10.2 contains 4 sub-clauses that address privacy protection within the scope of information transfers. Each sub-clause is reliant upon guidance information from ISO 27002:

• ISO 27701 6.10.2.1 – Information transfer policies and procedures (ISO 27002 Control 5.14).
• ISO 27701 6.10.2.2 – Agreements for information transfer (ISO 27002 Control 5.14).
• ISO 27701 6.10.2.3 – Electronic messaging (ISO 27002 Control 5.14).
• ISO 27701 6.10.2.4 – Confidentiality or non-disclosure agreements (ISO 27002 Control 6.6).

Two sub-clauses contain guidance that is applicable within UK GDPR legislation – (Clauses 6.10.2.1 and 6.10.2.4), with no additional PIMS or PII-related guidance offered outside of the general guidance points already stated.

ISO 27701 Clause 6.10.2.1 – Information Transfer Policies and Procedures

References ISO 27002 Control 5.14

Information transfer operations should:

• Focus on controls that prevent the interception, unauthorized access, copying, modification, misrouting, destruction and denial of service of PII and privacy-related information (see ISO 27002 Control 8.24).
• Ensure that information is traceable.
• Categorise a list of contacts – i.e. owners, risk owners etc.
• Outline responsibilities in the event of a security incident.
• Include clear and concise labelling systems (see ISO 27002 Control 5.13).
• Ensure a reliable transfer facility, including topic-specific policies on the transfer of data (see ISO 27002 Control 5.10).
• Outline retention and disposal guidelines, including any region or sector-specific laws and guidelines.

Electronic Transfer

When utilising electronic transfer facilities, organisations should:

1. Attempt to detect and protect against malicious programs (see ISO 27002 Control 8.7).
2. Focus on protecting attachments.
3. Take great care in sending information to the correct address.
4. Mandate for an approvals process, before employees are able to transmit information via ‘external public services’ (e.g. instant messaging), and exercise greater control over such methods.
5. Avoid using SMS services and fax machines, where possible.

Physical Transfers (Including Storage Media)

When transferring physical media (including paper documents) between premises or external locations, organisations should:

• Outline clear responsibilities for despatch and receipt.
• Take great care inputting the correct address details.
• Use packaging that offers protection from physical damage or tampering.
• Operate with a list of authorised couriers and third party despatchers, including robust identification standards.
• Keep thorough logs of all physical transfers, including recipient details, dates and times of transfers, and any physical protection measures.

Verbal Transfers

Verbally conveying sensitive information presents a unique security risk, particularly where PII and privacy protection is concerned.

Organisations should remind employees to:

1. Avoid having such conversations in a public place, or unsecured internal location.
2. Avoid leaving voicemail messages that contain sensitive or restricted information.
3. Ensure that the person they are speaking to is of an appropriate level to receive said information, and inform them of what is going to be said prior to divulging information.
4. Be mindful of their surroundings and ensure that room controls are adhered to.

Applicable GDPR Articles

• Article 5 – (1)(f)

Relevant ISO 27002 Controls

• ISO 27002 5.13
• ISO 27002 8.7
• ISO 27002 8.24

ISO 27701 Clause 6.10.2.2 – Agreements for Information Transfer

References ISO 27002 Control 5.14

See ISO 27701 Clause 6.10.2.1

ISO 27701 Clause 6.10.2.3 – Electronic Messaging

References ISO 27002 Control 5.14

See ISO 27701 Clause 6.10.2.1

ISO 27701 Clause 6.10.2.4 – Confidentiality or Non-disclosure Agreements

References ISO 27002 Control 6.6

Organisations should utilise non-disclosure agreements (NDAs) and confidentiality agreements to protect the wilful or accidental divulgence of sensitive information to unauthorised personnel.

When drafting, implementing and maintaining such agreements, organisations should:

• Offer a definition for the information that is to be protected.
• Clearly outline the expected duration of the agreement.
• Clearly state any required actions, once an agreement has been terminated.
• Any responsibilities that are agreed by confirmed signatories.
• Ownership of information (including IP and trade secrets).
• How signatories are allowed to use the information.
• Clearly outline the organisation’s right to monitor confidential information.
• Any repercussions that will arise from non-compliance.
• Regularly reviews their confidentiality needs, and adjust any future agreements accordingly.

Confidentiality laws vary from jurisdiction to jurisdiction, and organisations should consider their own legal and regulatory obligations when drafting NDAs and confidentiality agreements (see ISO 27002 controls 5.31, 5.32, 5.33 and 5.34).

Applicable GDPR Articles

• Article 5 – (1)
• Article 25 – (1)(f)
• Article 28 – (3)(b)
• Article 38 – (5)

Relevant ISO 27002 Controls

• ISO 27002 5.31
• ISO 27002 5.32
• ISO 27002 5.33
• ISO 27002 5.34

Supporting Controls From ISO 27002 and GDPR

How ISMS.online Helps

Whether you’re just starting to look at data privacy, or an expert looking to integrate multiple standards and regulations, our features are easy to use and you’ll make progress the instant you log on.

• Built in Risk Bank
• ROPA made easy
• Secure space for DRR

Find out more by booking a demo.