Auditing ISO 27001 Annex A 5.14 Information Transfer validates the security of data in transit across organizational boundaries. This process confirms the Primary Implementation Requirement of using formal transfer agreements and secure protocols to protect information integrity and confidentiality. The Business Benefit mitigates data leakage risks during communication, ensuring compliance with legal and contractual obligations.
This technical verification tool is designed for lead auditors to confirm the security of data in transit across organisational boundaries. Use this checklist to validate compliance with ISO 27001 Annex A 5.14 (Information transfer) by ensuring that transfer policies, agreements, and technical controls are robustly implemented.
1. Information Transfer Policy Formalisation Verified
Verification Criteria: A documented policy exists that defines the rules, procedures, and technical standards for transferring information within the organisation and to external parties.
Required Evidence: Approved Information Transfer Policy or Operating Procedures, including specific sections on secure electronic messaging and physical media transit.
Pass/Fail Test: If the policy lacks specific technical requirements for encryption levels or allowed transfer methods (e.g., SFTP vs. email), mark as Non-Compliant.
2. Enforceable Transfer Agreements Present
Verification Criteria: Information transfers involving external parties are governed by formal agreements that specify security requirements, liability, and handling instructions.
Required Evidence: Signed Data Transfer Agreements (DTAs), Service Level Agreements (SLAs), or specific security clauses within master contracts for a sampled external vendor.
Pass/Fail Test: If sensitive data is being transferred to a third party without a signed agreement that defines the recipient’s security obligations, mark as Non-Compliant.
3. Secure Messaging Configuration Validated
Verification Criteria: Electronic messaging systems (email, Slack, Teams) are configured to protect information from unauthorised disclosure or modification during transit.
Required Evidence: Screenshots of mail server configurations showing TLS 1.2+ enforcement, or logs of encrypted message delivery for sensitive data.
Pass/Fail Test: If the organisation allows the transfer of “Confidential” information via unencrypted standard email, mark as Non-Compliant.
4. Physical Media Transit Protection Verified
Verification Criteria: Procedures for the physical transfer of media (e.g., hard drives, backup tapes, paper) include protection against loss, theft, and unauthorised access.
Required Evidence: Courier tracking logs, evidence of tamper-evident packaging, or logs showing full-disk encryption for all removable media in transit.
Pass/Fail Test: If physical media containing sensitive data is sent via standard post without encryption or a chain-of-custody log, mark as Non-Compliant.
5. Information Labelling During Transfer Confirmed
Verification Criteria: Information assets are correctly labelled according to the classification policy prior to transfer to ensure appropriate handling by the recipient.
Required Evidence: Sample of outgoing files or emails showing classification metadata or subject line markings (e.g., “[PROTECTED]”).
Pass/Fail Test: If the transfer process does not include a step to verify that classification labels are preserved or explicitly communicated, mark as Non-Compliant.
6. Transfer Traceability and Logging Logs Present
Verification Criteria: All significant information transfers are logged to provide an audit trail of what was sent, by whom, to whom, and at what time.
Required Evidence: Audit logs from the Managed File Transfer (MFT) system, SFTP server logs, or manual transfer registers for physical items.
Pass/Fail Test: If the organisation cannot produce a log showing who initiated a specific sensitive data export from the last 30 days, mark as Non-Compliant.
7. Verbal Information Transfer Controls Evidenced
Verification Criteria: Rules exist to control the verbal transfer of sensitive information in public places or via insecure voice communication channels.
Required Evidence: Acceptable Use Policy (AUP) or staff briefing records specifically addressing verbal confidentiality in public/unsecured environments.
Pass/Fail Test: If there is no documented guidance or training regarding the risks of verbal disclosure in shared office spaces or via non-corporate voice apps, mark as Non-Compliant.
8. Technical Integrity Controls (Checksums/Signatures) Verified
Verification Criteria: High-integrity transfers utilise technical controls to ensure that information is not modified during the transfer process.
Required Evidence: Automated checksum verification logs (MD5/SHA) or the use of digital signatures for file transfers within the MFT platform.
Pass/Fail Test: If the organisation relies on “blind trust” for large-scale data migrations without any automated hash verification or integrity check, mark as Non-Compliant.
9. Information Reception Procedures Documented
Verification Criteria: Clear procedures exist for receiving information, including verification of the sender’s identity and checking for malicious content.
Required Evidence: Inbound email security gateway logs (e.g., Mimecast/Proofpoint) showing SPF/DKIM/DMARC checks and malware scanning.
Pass/Fail Test: If incoming transfers are accepted from unverified external sources without automated malware scanning or sender authentication, mark as Non-Compliant.
10. Non-Disclosure Agreement (NDA) Compliance Confirmed
Verification Criteria: NDAs are in place for all employees, contractors, and third parties prior to them being granted access to transfer systems or sensitive data.
Required Evidence: Sample of HR files or vendor files showing signed NDAs or confidentiality clauses integrated into contracts.
Pass/Fail Test: If any individual has “Write” or “Export” access to the transfer system without a signed and active NDA on file, mark as Non-Compliant.
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Transfer Policy | GRC tool identifies that a “Transfer Policy.pdf” exists in the repository. | The auditor must verify the policy includes technical standards like AES-256 or TLS 1.3 requirements. |
| Messaging Security | SaaS tool verifies that “Teams” or “Slack” is used for communication. | Verify that external “Guest” access is restricted and data loss prevention (DLP) rules are active for sensitive keywords. |
| External Agreements | Tool records that an NDA is signed with the vendor. | Verify the *Data Transfer Agreement* specifically; an NDA does not cover technical transfer protocols or liability for data loss. |
| Physical Media | SaaS tool ignores physical transit as it is “outside the cloud”. | Demand physical logs of media movement; if it isn’t in the cloud, the GRC tool won’t see it, but the auditor must. |
| Traceability | Tool checks if “Logging” is enabled in the cloud tenant settings. | The auditor must trace a specific file transfer from origin to destination to confirm the log contains actionable data. |
| Integrity Checks | GRC platform assumes cloud-to-cloud transfers are inherently integer. | Verify the use of hash-sum validation for critical financial or health data transfers between disparate systems. |
| Inbound Verification | Tool identifies a firewall is present. | Verify that SPF, DKIM, and DMARC are set to “Reject” or “Quarantine” to prevent spoofed transfers. |
About the author
