Implementing ISO 27001 Annex A 5.14 is the deployment of secure Information Transfer protocols to safeguard data in transit against interception and unauthorised access. This control mandates the enforcement of Transport Layer Security (TLS), the execution of transfer agreements, and the implementation of Data Loss Prevention (DLP) measures to ensure communication confidentiality.
ISO 27001 Annex A Information Transfer Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 5.14 by establishing rigid technical and procedural gateways for all data leaving your network. Compliance requires moving beyond “acceptable use” documents to enforcing encryption protocols, locking down external sharing features, and auditing the physical chain of custody for offline transfers.
1. Enforce TLS 1.2+ for All Email Transmission
Control Requirement: Information transferred via electronic messaging must be protected in transit. Required Implementation Step: Configure your mail gateway (Exchange Online / Google Workspace) to enforce “Mandatory TLS” for all partner connectors. Run a report using tools like `CheckTLS.com` to verify that your MTA (Mail Transfer Agent) rejects connections from receiving servers that do not support at least TLS 1.2.
Minimum Requirement: Emails to external clients must fail to send if encryption cannot be negotiated; cleartext fallback is disabled.
2. Implement Message-Level Encryption (OME)
Control Requirement: Sensitive information must remain encrypted even if the transport layer is intercepted. Required Implementation Step: Configure Exchange Transport Rules or DLP policies to automatically apply “Office 365 Message Encryption” (or S/MIME) if the subject line contains keywords like “Confidential” or if the body contains credit card patterns. This ensures the attachment is encrypted at rest within the recipient’s inbox.
Minimum Requirement: A recipient with a Gmail account must authenticate (via OTP or federation) to view a confidential document sent from your domain.
3. Ban Insecure Transfer Protocols
Control Requirement: Vulnerable transfer mechanisms must be disabled to prevent eavesdropping. Required Implementation Step: Audit your firewall logs and server configurations. Explicitly block port 21 (FTP), port 23 (Telnet), and port 80 (HTTP) for any data transfer interfaces. Reconfigure all file transfer scripts to use SFTP (SSH) or FTPS (SSL) with strong ciphers (AES-256) only.
Minimum Requirement: An attempt to connect via standard FTP results in an immediate “Connection Refused”.
4. Configure Expiring External Share Links
Control Requirement: Access to transferred information must be time-limited. Required Implementation Step: Access your SharePoint/OneDrive or Google Drive Admin Console. Set a global policy for “External Sharing”. Disable “Anyone with the link” (anonymous access). Mandate that all “Specific People” guest links expire automatically after 14 days, forcing a re-validation of access needs.
Minimum Requirement: Links sent to clients 6 months ago are dead and return a 403 Access Denied error.
5. Execute Information Transfer Agreements (ITAs)
Control Requirement: Legal protection must cover the liability of data in transit. Required Implementation Step: Before setting up a permanent VPN tunnel or API integration with a partner, draft and sign a specific Information Transfer Agreement. This document must specify the encryption standards, liability for data loss during transit, and the destruction of data upon termination. Store this contract in your ISMS repository.
Minimum Requirement: No data pipes are opened to third parties without a signed ITA defining technical security obligations.
6. Implement Mutual TLS (mTLS) for APIs
Control Requirement: Automated transfers must verify the identity of both endpoints. Required Implementation Step: For B2B API integrations, do not rely solely on API Keys (which can be stolen). Configure mTLS where the client must present a valid certificate signed by your internal CA to establish the connection. This cryptographically guarantees that the “sender” is the authorised server, not an impostor.
Minimum Requirement: The API gateway drops connections from clients that do not proffer a valid client-side certificate.
7. Secure Voice and Video Communications
Control Requirement: Verbal transfers of sensitive information must be protected. Required Implementation Step: Audit your telephony and conferencing tools. Ensure “End-to-End Encryption” (E2EE) is enabled for Teams/Zoom meetings. For SIP trunks (VoIP), ensure TLS is enabled for signalling and SRTP (Secure Real-time Transport Protocol) is enabled for the media stream to prevent call recording by network sniffers.
Minimum Requirement: A packet capture (Wireshark) of a phone call reveals only encrypted noise, not audible conversation.
8. Hardening of Physical Media Transfers
Control Requirement: Information moved on portable media must be secured against physical loss. Required Implementation Step: Establish a strict procedure for courier transfers (e.g., sending backup tapes or hard drives). Use only bonded couriers with track-and-trace capabilities. Enforce hardware encryption (e.g., BitLocker To Go) on the drive before it leaves the building. Pack the drive in tamper-evident packaging (numbered seals).
Minimum Requirement: If the courier loses the package, the data on the drive is mathematically inaccessible.
9. Deploy Data Loss Prevention (DLP) for Outbound Traffic
Control Requirement: Unauthorised transfers must be detected and blocked. Required Implementation Step: Configure your Network DLP or Cloud Access Security Broker (CASB). Create rules to block the upload of >10 files or specific PII patterns (Passport Numbers) to unapproved personal cloud storage sites (e.g., Dropbox, WeTransfer).
Minimum Requirement: A user attempting to upload a “Customer_List.csv” to their personal Google Drive receives a block notification.
10. Anonymise Data Sets Before Transfer
Control Requirement: Minimise the risk of data compromise during transfer. Required Implementation Step: Where live data is not strictly required by the recipient (e.g., sending logs to a support vendor), run a sanitisation script. Replace names with generic IDs and mask IP addresses. Ensure the data is useless for identity theft if the transfer is intercepted.
Minimum Requirement: Vendor support tickets contain no real customer PII, only error codes and anonymised strings.
ISO 27001 Annex A 5.14 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Email Encryption | GRC tool asks: “Do you use SSL?” (Yes/No). | Fails if you use “Opportunistic TLS” that falls back to clear text when the recipient server is misconfigured. Mandatory TLS is required. |
| File Sharing | SaaS platform checks if “OneDrive” is installed. | Fails if users are generating “Anyone with the link” URLs, effectively making your data public on the internet. |
| Physical Media | Questionnaire: “Do you track couriers?” | Fails if the USB drive inside the envelope is unencrypted. Tracking finds the package; encryption protects the data. |
| API Security | Tool checks for “API Keys”. | Fails if keys are hardcoded in scripts or sent in URL parameters. Real security requires mTLS or OAuth 2.0 with short-lived tokens. |
| Voice Security | Not checked by most automated scanners. | Fails if your VoIP calls are sent over UDP/RTP in clear text, allowing anyone on the LAN to replay the conversation. |
| External Agreements | Upload a generic NDA. | Fails if the NDA doesn’t specify how data is transferred. You need an ITA that mandates SFTP/HTTPS standards. |
| DLP | Policy says “Data theft is forbidden”. | Fails if you don’t have a CASB blocking uploads to Mega.nz. Policy doesn’t stop exfiltration; blocking rules do. |
Do it Yourself ISO 27001
Our Lead-Auditor verified templates with expert support have a 100% success rate.
About the author
