In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.14 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 5.14 Information Transfer
ISO 27001 Annex A 5.14 requires organizations to establish rules, procedures, and agreements for all types of information transfer facilities. Whether you are sending a digital file via email, shipping a physical hard drive, or having a sensitive conversation in a meeting room, the data must remain secure in transit. This control is designed to prevent the unauthorized disclosure, modification, or loss of information as it moves between internal teams or to external third parties.
Core requirements for compliance include:
- Rules for 3 Transfer Methods: You must address three specific modes of transfer:
- Electronic: Email, SFTP, Cloud Sharing, and Messaging apps.
- Physical: Paper documents, USB drives, and removable storage media.
- Verbal: Phone calls, video conferences, and in-person discussions.
- Proportionate Protection: Controls must match the data’s classification (from Annex A 5.12). For example, “Public” data can go via standard email, but “Confidential” data requires encryption and restricted access links.
- Traceability & Non-Repudiation: For sensitive transfers, you must be able to prove who sent the information, who received it, and that it wasn’t modified in transit. This often involves logs and delivery receipts.
- Malware Prevention: Electronic transfer systems must have active scanning to detect and block malicious attachments.
- Physical Security in Transit: When moving physical media, you must use reliable couriers, appropriate packaging (to prevent tampering), and maintain a clear chain of custody.
Audit Focus: Auditors will look for “The Transfer Gap”:
- Policy vs. Reality: “Your policy forbids using personal WhatsApp for business. How do you monitor this, and have you ever had to enforce your disciplinary process for a breach?”
- Encryption Proof: “Show me an example of a ‘Confidential’ file sent to a client last month. Can you prove it was encrypted and sent via an approved method?”
- Physical Media Logs: “If you send a backup tape or hard drive to off-site storage, show me the log entry and the courier receipt.”
Approved Transfer Methods Matrix (Audit Prep):
| Data Classification | Standard Email | Encrypted Email | SFTP / Cloud Share | Encrypted USB |
| Public | ✓ Allowed | ✓ Allowed | ✓ Allowed | ✓ Allowed |
| Internal | ✓ Allowed | ✓ Allowed | ✓ Allowed | ⚠️ Encrypted Only |
| Confidential | ❌ Forbidden | ✓ Allowed | ✓ Restricted Link | ⚠️ Encrypted Only |
| Secret | ❌ Forbidden | ❌ Forbidden | ✓ VPN/SFTP Only | ❌ Forbidden |
Table of contents
- What is ISO 27001 Annex A 5.14?
- Watch the ISO 27001 Annex A 5.14 Tutorial
- ISO 27001 Annex A 5.14 Podcast
- ISO 27001 Annex A 5.14 Implementation Guide
- The 3 transfer methods covered in ISO 27001
- How to implement ISO 27001 Annex A 5.14
- Approved Transfer Methods Table
- ISO 27001 Templates
- How to comply
- How to pass an ISO 27001 Annex A 5.14 audit
- What the auditor will check
- Top 3 ISO 27001 Annex A 5.14 Mistakes People Make and How to Avoid Them
- Applicability of ISO 27001 Annex A 5.14 across different business models.
- Fast Track ISO 27001 Annex A 5.14 Compliance with the ISO 27001 Toolkit
- ISO 27001 Annex A 5.14 FAQ
- Related ISO 27001 Controls
- Further Reading
- ISO 27001 controls and attribute values
What is ISO 27001 Annex A 5.14?
ISO 27001 Annex A 5.14 is about information transfer which means you need to make sure that information is transferred safely and securely.
ISO 27001 Annex A 5.14 Information Transfer is an ISO 27001 control that requires an organisation to have rules, procedures or agreements in place for all types of transfer within the organisation and with third parties.
ISO 27001 Annex A 5.14 Purpose
The purpose of ISO 27001 Annex A 5.14 is to ensure that you maintain the security of information transferred within an organisation and with any external interested party.
ISO 27001 Annex A 5.14 Definition
The ISO 27001 standard defines ISO 27001 Annex A 5.14 as:
Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organisation and between the organisation and other parties.
ISO 27001:2022 Annex A 5.14 Information Transfer
Watch the ISO 27001 Annex A 5.14 Tutorial
In the video ISO 27001 Information Transfer Explained – ISO27001:2022 Annex A 5.14 show you how to implement it and how to pass the audit.
ISO 27001 Annex A 5.14 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.14 Information Transfer. The podcast explores what it is, why it is important and the path to compliance.
ISO 27001 Annex A 5.14 Implementation Guide
The prerequisite for the this annex a control is having an information classification scheme in place. We covered information classification in – ISO 27001 Annex A 5.12 Classification of Information Beginner’s Guide
Once you have your classification scheme in place you are going to then implement rules, procedures and agreements to protect information in transit based on its classification and the classification scheme you have established.
You are going to have to
- Establish and communicate a topic specific policy on information transfer
- Implement rules, procedures and/ or agreements for information transfer to protect information in transit
- Cover information and other associated assets in all formats
Remembering that information transfer can be done in many ways including through electronic transfer, physical storage media transfer and even verbal transfer.
Let us explore what the standard is expecting for each transfer method.
All information transfers
For all information transfer
- Implement controls proportionate to the information classification and business risk to protect against destruction, interception, unauthorised access, copying, modification – basically to protect the confidentiality, integrity and availability of the information.
- Put in place the ability to ensure traceability and the fancy word of non repudiation which includes a chain of custody wile in transit. Do you know who had it and what they did with it and can you prove it if you need to?
- The standard loves having owners so you will have the usual suspects of data owners, risk owners and all the roles and responsibilities defined by the management system. Those involved in the transfer of information should really be defined along with their contact details.
- Put in place who does what if there is a breach or an incident and who is going to be liable
- Obviously as we covered in ISO 27001 Annex A 5.13 Labelling Of Information Beginner’s Guide – you are going to have information labelling.
- In the top trumps of requirements the law always wins so clearly you will look at the legal register you have completed and look at relevant laws, regulations and contractual requirements that apply to you and follow them for information transfer.
- Set out your guidelines on storage and deletion of business records, and messages.
- Ensure the availability of the transfer service.
Electronic Transfers
There are some extra things you will have to do for electronic transfers. Nothing unusual but they are
- Detect and protect against malware and viruses
- If you use attachments and they include sensitive information – protect them.
- When you send something to someone make sure it is the correct someone.
- If you simply must use public means like instant messaging, get approval first. And then put in place some stronger measures and stricter authentication.
- Tell people not to message or SMS critical information. You can tell them. They won’t listen. And no one can check as they are private. Still, be sure to tell them eh?
Fax Machines
I mean WTAF but still, people use them apparently. The standard is all nice and vague about advising people of the problems of using them. It omits the fact the main problem is this is not 1987 but still tell people about the problems. Apparently. The actual reality is if you do use them then you are controlling them through risk management and compensating controls.
Physical Storage Media Transfers
So we are going to move some physical media or paper about the place? If you must you must. But if you do then
- Someone needs to be assigned responsibility for notifying it will happen, making it happen and getting a reciept that it happened. Nice work if you can get it.
- Send it to the right person, in the right way, eh? I mean, come on.
- Nothing stops a thief like a package so packaging is covered. Packaging has its place. Think amazon. Package that bad boy before you send it.
- I am not a fan of Evri per se, but then this is not my call and other couriers are available so you need to have an agreed list. The standard says of reliable couriers. Which is hilarious. Just have a list of the least shit.
- It wants you to have courier identification standards. Which is vague AF. Pick mainstreams ones and you will be ok. Or you could try asking – ‘are you a courier’ before handing over priceless data and if the answer is ‘er, yes’ then I think you are golden.
- Log everything!
Verbal Transfers
Oh my sweet god, so we are in the realms of thought police. I wish you god speed with this one but lets look at what the standard believes people will do.
- No confidential chit chats in public places!
- No answer machine messages with that confidential data on. ‘Hi, this is Stuart, I am not available right now so please leave your confidential information after the beep……’
- Screen people to the appropriate level to listen to the conversation – Bwhhahhh hhahhha hhhaaa
- Have room controls in place like sound proofing – which is a little to 50 shades of grey for my liking. Please come into this sound proof room so I may whisper confidential information at you.
- Begin any sensitive conversation with a disclaimer. Of course. Obvious really. Give it a try. People will love you for it.
The 3 transfer methods covered in ISO 27001
The 3 transfer methods of ISO 27001 that are now explicitly covered are
- Electronic
- Physical
- Verbal
How to implement ISO 27001 Annex A 5.14
Implementing ISO 27001 Annex A 5.14 requires a transition from ad hoc file sharing to a governed, technical framework for data in transit. By formalising transfer protocols and enforcing cryptographic controls, organisations mitigate the risk of interception, misdirection, and data leakage. This action-orientated guide provides the technical steps necessary to secure all forms of information transfer, ensuring compliance with the 2022 standard.
1. Formalise a Topic-Specific Information Transfer Policy
Establish a documented policy that mandates the security requirements for all types of communication, including electronic, physical, and verbal. This action results in a standardised governance layer that dictates how sensitive data is categorised and handled during transit.
- Define an “Approved Tools List” to restrict data movement to vetted Managed File Transfer (MFT) solutions and encrypted email gateways.
- Specify mandatory encryption standards, such as AES-256 for data at rest on removable media and TLS 1.2 or higher for data in transit.
- Document the requirements for non-disclosure agreements (NDAs) and confidentiality clauses as a prerequisite for external transfers.
2. Provision Secure Communication Channels and Cryptographic Controls
Enforce technical safeguards across all communication interfaces to protect the confidentiality and integrity of information. This result-focused step ensures that even if a transfer is intercepted, the underlying data remains inaccessible to unauthorised parties.
- Configure site-to-site VPNs or secure APIs with Mutual TLS (mTLS) for recurring high-volume data exchanges between business partners.
- Implement Multi-Factor Authentication (MFA) for all users accessing file transfer portals or corporate email accounts.
- Utilise digital signatures or checksums to verify the integrity of large datasets post-transfer, preventing silent data corruption.
3. Formalise Information Transfer Agreements (ITAs)
Execute formal agreements with third parties that define the specific security obligations for shared information. This action results in a legally binding framework that reduces liability and ensures partners maintain equivalent security standards.
- Incorporate “Notification of Receipt” protocols to ensure the sender is alerted immediately when sensitive data reaches the intended destination.
- Define technical responsibilities for the encryption and decryption of shared assets within the contract or Data Processing Agreement (DPA).
- Document the Rules of Engagement (ROE) for handling misdirected information, including mandatory deletion and reporting requirements.
4. Implement Managed Access and IAM Restrictions
Apply the Principle of Least Privilege to all transfer facilities using an Identity and Access Management (IAM) framework. This action ensures that only authorised personnel can initiate or approve the movement of critical information assets.
- Provision Role-Based Access Control (RBAC) to limit access to sensitive transfer folders based on job function rather than individual user requests.
- Revoke transfer permissions automatically during “Mover” or “Leaver” workflows to prevent unauthorised post-employment data exfiltration.
- Restrict service account permissions for automated APIs to specific source and destination IP addresses.
5. Execute Continuous Monitoring and Audit Logging
Establish comprehensive logging for all information transfer activities to provide forensic evidence and verify policy compliance. This result-focused step allows the organisation to detect unusual data movement patterns that may indicate a breach.
- Configure the Managed File Transfer (MFT) system to log metadata, including the sender identity, file size, timestamp, and recipient IP address.
- Integrate transfer logs with a Security Information and Event Management (SIEM) tool to trigger real-time alerts for large or unauthorised data exports.
- Perform periodic audits of transfer logs to ensure that all active transfers align with current business requirements and Information Transfer Agreements.
Approved Transfer Methods Table
| Data Classification | Email (Standard) | Email (Encrypted) | File Transfer (e.g. SFTP) | Cloud Share (e.g. OneDrive) | USB Drive | ISO 27001:2022 Controls |
|---|---|---|---|---|---|---|
| Public | ✅ Allowed | ✅ Allowed | ✅ Allowed | ✅ Allowed | ✅ Allowed | Annex A 5.12, 5.14 |
| Internal | ✅ Allowed | ✅ Allowed | ✅ Allowed | ✅ Allowed | ⚠️ Encrypted Only | Annex A 5.12, 5.14, 8.24 |
| Confidential | ❌ Forbidden | ✅ Allowed | ✅ Allowed | ✅ Allowed (Restricted Link) | ⚠️ Encrypted Only | Annex A 5.12, 5.14, 8.24 |
| Secret | ❌ Forbidden | ❌ Forbidden | ✅ VPN/SFTP Only | ❌ Forbidden | ❌ Forbidden | Annex A 5.12, 5.14, 8.24 |
ISO 27001 Templates
If you want to write these yourself I totally commend you. And pity you in equal measure. You could save months of effort with these templates that take 25 years of experience and distill it in a pack of prewritten best practice awesomeness.
How to comply
To comply with ISO 27001 Annex A 5.14 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to
- Get yourself a topic specific policy and communicate it
- Implement your classification scheme
- Define and Implement your procedures, rules and agreements for transfers
- Communicate and make sure people follow said procedures, rules and agreements
How to pass an ISO 27001 Annex A 5.14 audit
To pass an audit of ISO 27001 Annex A 5.14 you are going to make sure that you have followed the steps above in how to comply.
What the auditor will check
The audit is going to check a number of areas. Lets go through them
1. That you have not done something stupid
The auditor is going to check the rules, procedures and agreements and make sure you followed them. As with everything having documented evidence of anything you can is going to be your friend. So practical things like physical media transfer logs, risk register items and evidences of training. Work through each transfer type and look for the gotchas. Sure you use a secure courier but did you agree it and have them listed some where? Sure you start every conversation with a disclaimer, and now for shits and giggles, with the auditor would be the time to polish off and demonstrate your unique verbal skills.
2. That you have rules, processes, agreement and you have followed them and have trained people
This is obvious but they are going to look that you have documented what you say you do, that you follow it and that you have trained people.
3. Documentation
They are going to look at audit trails and all your documentation and see that is classified and labelled. All the documents that you show them, as a minimum if they are confidential should be labelled as such. Doing anything else would be a massive own goal.
Top 3 ISO 27001 Annex A 5.14 Mistakes People Make and How to Avoid Them
The top 3 Mistakes People Make For ISO 27001 Annex A 5.14 are
1. Your teams go around you and do what they want because your controls make their life a living hell
Be practical and realistic in what you put in place. No one likes a smart arse but they hate people who make their job more difficult way more. If you make it too hard they will just go around you. You have ZERO way to check, audit or impose on private conversations or private communications over things like WhatsApp and text. It just isn’t realistic. Don’t be a dick, be someone who takes the spirit of what is required and implements in with reasoned appropriateness. This is a risk based management system. Not a rule based system. Controls are for consideration and the level you implement is down to you and the risk to your business.
2. One or more members of your team haven’t done what they should have done
Prior to the audit check that all members of the team have done what they should have, understand how to transfer information and have been trained in it.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Applicability of ISO 27001 Annex A 5.14 across different business models.
| Business Type | Applicability & Interpretation | Examples of Control |
|---|---|---|
| Small Businesses |
Stop Emailing Passwords. Small teams often over-rely on email. Compliance means establishing a “Rule” that sensitive data (passwords, bank details) must never be sent via plain email, but via secure links. |
• Secure Links: Using features like “SharePoint – Specific People” links with an expiry date instead of attaching Excel files directly to emails. |
| Tech Startups |
Automated & API Security. Transfers aren’t just files; they are API calls. Auditors verify that data flowing between your microservices and external tools (Slack, Jira, AWS) is encrypted in transit. |
• TLS Enforcement: Configuring load balancers to reject any connection below TLS 1.2 to ensure all web traffic is encrypted. |
| AI Companies |
Bulk Data Ingestion. Moving terabytes of training data requires specific agreements. You must ensure that data sent to third-party model providers (e.g., OpenAI API) is governed by a secure transfer protocol. |
• Authenticated Endpoints: Using Mutual TLS (mTLS) or signed URLs for ingesting client datasets into S3 buckets, ensuring no “man-in-the-middle” attacks. |
Fast Track ISO 27001 Annex A 5.14 Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 5.14 (Information transfer), the requirement is to have rules, procedures, and agreements in place for all types of transfer facilities (electronic, physical, and verbal) to protect the security of information in transit. This ensures that sensitive data is not intercepted, destroyed, or accessed by unauthorised parties while moving between people or organizations.
| Compliance Factor | SaaS Compliance Platforms | High Table ISO 27001 Toolkit | Audit Evidence Example |
|---|---|---|---|
| Policy Ownership | Rents access to your transfer rules; if you cancel the subscription, your documented secure methods and transit logs vanish. | Permanent Assets: Fully editable Word/Excel Information Transfer Policies and Method Tables you own forever. | A localized “Information Transfer Policy” defining mandatory encryption for PII shared with external partners. |
| Operational Utility | Attempts to “automate” transfers via dashboards that cannot manage physical couriers or verbal confidentiality rules. | Governance-First: Formalizes all transfer types (electronic, physical, verbal) into an auditor-ready framework. | An “Approved Transfer Methods Table” mapping data sensitivity (e.g., Secret) to specific channels (e.g., Secure SFTP). |
| Cost Efficiency | Charges a “Transfer Volume Tax” based on data amount or transfer events, creating perpetual overhead as you grow. | One-Off Fee: A single payment covers your transfer governance for 10 files or 10,000,000. | Allocating budget to high-grade VPNs or End-to-End Encryption tools rather than monthly “compliance seat” fees. |
| Strategic Freedom | Mandates rigid technical workflows that often fail to align with lean hybrid work models or specialized physical workflows. | 100% Agnostic: Procedures adapt to your existing stack—Slack, OneDrive, or physical couriers—without limits. | The ability to evolve your communication strategy (e.g., moving to Zero Trust file sharing) without reconfiguring a rigid SaaS module. |
Summary: For Annex A 5.14, the auditor wants to see that you have a formal Information Transfer Policy and proof that people know which methods are approved for different data types. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
ISO 27001 Annex A 5.14 FAQ
What is ISO 27001 Annex A 5.14?
ISO 27001 Annex A 5.14 is an organisational control that requires organisations to establish rules, procedures, and agreements for all types of information transfer to prevent unauthorized disclosure or loss.
- Covers internal transfers between departments and external transfers to third parties.
- Requires the use of secure communication channels and encryption.
- Mandates formalised “Information Transfer Agreements” for sensitive data.
- Encompasses digital transfers, physical media, and verbal communications.
Is an Information Transfer Agreement (ITA) mandatory?
Yes, for transfers involving high-risk or sensitive data, a formalised Information Transfer Agreement (ITA) is necessary to define the security obligations of all parties.
- Sets the ground rules for how data should be handled by the recipient.
- Defines the technical requirements for the transfer (e.g., specific encryption standards).
- Establishes legal liability and incident reporting requirements.
- Must be signed by both the sender and the receiver before data movement occurs.
How does Annex A 5.14 protect data in transit?
Annex A 5.14 protects data in transit by mandating the implementation of technical safeguards that ensure confidentiality, integrity, and availability.
- Encryption: Utilizing TLS for web traffic and AES-256 for file-level protection.
- Access Controls: Restricting transfer capabilities to authorised personnel only.
- Verification: Using digital signatures or checksums to ensure data hasn’t been tampered with.
- Audit Trails: Logging all transfer activities for forensic review and compliance verification.
Does Annex A 5.14 cover physical data transfers?
Yes, the control explicitly includes the physical transport of information, such as the courier of hard drives, tapes, or printed documentation.
- Requires secure packaging and tampering-evident seals for physical media.
- Mandates the use of trusted couriers with a formalised chain of custody.
- Requires that physical media be encrypted at rest before transport.
- Includes protocols for the secure handover and receipt of physical assets.
What are the common risks addressed by Annex A 5.14?
The primary objective is to mitigate risks associated with the movement of data across internal and external network boundaries.
- Interception: Preventing attackers from “sniffing” data while it moves across a network.
- Misdirection: Ensuring data is sent to the correct recipient and not a malicious actor.
- Data Corruption: Preventing technical failures or malicious acts from altering the data.
- Unauthorized Copying: Controlling the creation of shadow data during the transfer process.
What evidence do auditors look for regarding Annex A 5.14?
Auditors expect to see a documented Information Transfer Policy supported by signed agreements and technical logs proving secure methods are used.
- A Topic-Specific Policy: Detailing the rules for information transfer within the organisation.
- Signed ITAs or DPAs: Evidence of agreements with third-party suppliers.
- Configuration Records: Screenshots showing TLS settings or Managed File Transfer (MFT) setups.
- Training Records: Proof that staff understand the risks of sending data via unsecure methods.
Related ISO 27001 Controls
ISO 27001 Annex A 5.20 Addressing Information Security Within Supplier Agreements
ISO 27001 Annex A 5.36 Compliance With Policies, Rules And Standards For Information Security
Further Reading
The complete guide to ISO/IEC 27002:2022
ISO 27001 Risk Treatment – Tutorial
ISO 27001 controls and attribute values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Confidentiality | Protect | Information protection | Protection |
| Integrity | Asset management | |||
| Availability |
