1. Framework FAQs

ISO 27001: 2022 A.5.14 Information transfer

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.14 Information transfer

ISO 27001: 2022 Control Description

Information transfer rules, procedures, or agreements shall be in place  for all types of transfer facilities within the organisation and between the organisation and other parties.

Purpose

To maintain the security of information transferred within an organisation and with any external interested party.

Guidance on implementation

The organisation should establish and communicate a topic-specific policy on information transfer to all relevant interested parties. Rules, procedures, and agreements to protect information in transit should reflect the classification of the information involved. Where information is transferred between the organisation and third parties, transfer agreements (including recipient authentication) should be established and maintained to protect information in all forms in transit.

Information transfer can occur through electronic transfer, physical storage media transfer, and verbal transfer.

For all types of information transfer, rules, procedures, and agreements should include:

a) Controls designed to protect transferred information from interception, unauthorised access, copying, modification, misrouting, destruction, and denial of service, including levels of access control commensurate with the classification of the information involved and any special controls required to protect sensitive information, such as the use of cryptographic techniques

b) Controls to ensure traceability and non-repudiation, including maintaining a chain of custody for information while in transit

c) Identification of appropriate contacts related to the transfer, including information owners, risk owners, security officers, and information custodians, as applicable

d) Responsibilities and liabilities in the event of information security incidents, such as the loss of physical storage media or data

e) Use of an agreed labelling system for sensitive or critical information, ensuring that the meaning of the labels is immediately understood and that the information is appropriately protected

f) Reliability and availability of the transfer service

g) The topic-specific policy or guidelines on acceptable use of information transfer facilities

h) Retention and disposal guidelines for all business records, including messages NOTE: Local legislation and regulations may exist regarding the retention and disposal of business records.

i) Consideration of any other relevant legal, statutory, regulatory, and contractual requirements related to the transfer of information (e.g. requirements for electronic signatures).

Electronic Transfer

Rules, procedures, and agreements should also consider the following items when using electronic communication facilities for information transfer:

a) Detection of and protection against malware that can be transmitted through the use of electronic communications;

b) Protection of communicated sensitive electronic information that is in the form of an attachment;

c) Prevention against sending documents and messages to the wrong address or number;

d) Obtaining approval prior to using external public services such as instant messaging, social networking, file sharing, or cloud storage;

e) Stronger levels of authentication when transferring information via publicly accessible networks;

f) Restrictions associated with electronic communication facilities (e.g. preventing automatic forwarding of electronic mail to external mail addresses);

g) Advising personnel and other interested parties not to send short message service (SMS) or instant messages containing critical information, as these can be read in public places (and therefore by unauthorised persons) or stored in devices not adequately protected;

h) Advising personnel and other interested parties about the issues with using fax machines or services, namely:

  1. Unauthorised access to built-in message stores to retrieve messages;
  2. Deliberate or accidental programming of machines to send messages to specific numbers.

Physical Storage Media Transfer

When transferring physical storage media (including paper), rules, procedures, and agreements should also include:

a) Responsibilities for controlling and notifying transmission, dispatch, and receipt;

b) Ensuring correct addressing and transportation of the message;

c) Packaging that protects the contents from any physical damage likely to arise during transit and in accordance with any manufacturers’ specifications, for example, protecting against any environmental factors that could reduce the effectiveness of storage media restoration, such as exposure to heat, moisture, or electromagnetic fields; using minimum technical standards for packaging and transmission (e.g. the use of opaque envelopes);

d) A list of authorised reliable couriers agreed by management;

e) Courier identification standards;

f) Depending on the classification level of the information in the storage media to be transported, use tamper-evident or tamper-resistant controls (e.g. bags, containers);

g) Procedures to verify the identification of couriers;

h) Approved list of third parties providing transportation or courier services depending on the classification of the information;

i) Keeping logs for identifying the content of the storage media, the protection applied, as well as recording the list of authorised recipients, the times of transfer to the transit custodians, and receipt at the destination.

Verbal Transfer

To protect the verbal transfer of information, personnel and other interested parties should be reminded that they should:

a) Not have confidential verbal conversations in public places or over insecure communication channels, as these can be overheard by unauthorised persons;

b) Not leave messages containing confidential information on answering machines or voice messages, as these can be replayed by unauthorised persons, stored on communal systems, or stored incorrectly due to misdialling;

c) Be screened to the appropriate level to listen to the conversation;

d) Begin any sensitive conversations with a disclaimer so that those present are aware of the classification level.