Table of contents
- ISO 27001 Information Transfer
- What is ISO 27001 Annex A 5.14?
- Implementation Guide
- What are the 3 transfer methods of ISO 27001 now covered?
- Watch the Implementation Video
- ISO 27001 Templates
- How to comply
- How to pass an audit
- What the auditor will check
- Top 3 Mistakes People Make
- FAQ
- Related ISO 27001 Controls
- Further Reading
- ISO 27001 controls and attribute values
ISO 27001 Information Transfer
In this ultimate guide to ISO 27001 Annex A 5.14 Information Transfer you will learn
- What is ISO 27001 Annex A 5.14
- How to implement ISO 27001 Annex A 5.14
I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.
With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.
What is ISO 27001 Annex A 5.14?
ISO 27001 Annex A 5.14 Information Transfer is an ISO 27001 control that requires an organisation to have rules, procedures or agreements in place for all types of transfer within the organisation and with third parties.
Purpose
The purpose of ISO 27001 Annex A 5.14 is to ensure that you maintain the security of information transferred within an organisation and with any external interested party.
Definition
The ISO 27001 standard defines ISO 27001 Annex A 5.14 as:
Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organisation and between the organisation and other parties.
ISO 27001:2022 Annex A 5.14 Information Transfer
ISO 27001:2022 Changes
Ok, so the changes to the 2022 version of the standard are in part practical but in equal part absolutely fking hilarious. It is like people sit in a room and think, what makes the least sense that we can make people do. Take for example fax machines, or disclaimers before you talk to anyone. Absolute drivel but a good laugh. Still there is some good stuff in here like fleshing out the transfer methods with a little more guidance on physical and electronic. Verbal guidance belongs in the bin and is totally unmanageable and un auditable but still, we cover it below.
Implementation Guide
The prerequisite for the this annex a control is having an information classification scheme in place. We covered information classification in – ISO 27001 Annex A 5.12 Classification of Information Beginner’s Guide
Once you have your classification scheme in place you are going to then implement rules, procedures and agreements to protect information in transit based on its classification and the classification scheme you have established.
You are going to have to
- Establish and communicate a topic specific policy on information transfer
- Implement rules, procedures and/ or agreements for information transfer to protect information in transit
- Cover information and other associated assets in all formats
Remembering that information transfer can be done in many ways including through electronic transfer, physical storage media transfer and even verbal transfer.
Let us explore what the standard is expecting for each transfer method.
All information transfers
For all information transfer
- Implement controls proportionate to the information classification and business risk to protect against destruction, interception, unauthorised access, copying, modification – basically to protect the confidentiality, integrity and availability of the information.
- Put in place the ability to ensure traceability and the fancy word of non repudiation which includes a chain of custody wile in transit. Do you know who had it and what they did with it and can you prove it if you need to?
- The standard loves having owners so you will have the usual suspects of data owners, risk owners and all the roles and responsibilities defined by the management system. Those involved in the transfer of information should really be defined along with their contact details.
- Put in place who does what if there is a breach or an incident and who is going to be liable
- Obviously as we covered in ISO 27001 Annex A 5.13 Labelling Of Information Beginner’s Guide – you are going to have information labelling.
- In the top trumps of requirements the law always wins so clearly you will look at the legal register you have completed and look at relevant laws, regulations and contractual requirements that apply to you and follow them for information transfer.
- Set out your guidelines on storage and deletion of business records, and messages.
- Ensure the availability of the transfer service.
Electronic Transfers
There are some extra things you will have to do for electronic transfers. Nothing unusual but they are
- Detect and protect against malware and viruses
- If you use attachments and they include sensitive information – protect them.
- When you send something to someone make sure it is the correct someone.
- If you simply must use public means like instant messaging, get approval first. And then put in place some stronger measures and stricter authentication.
- Tell people not to message or SMS critical information. You can tell them. They won’t listen. And no one can check as they are private. Still, be sure to tell them eh?
Fax Machines
I mean WTAF but still, people use them apparently. The standard is all nice and vague about advising people of the problems of using them. It omits the fact the main problem is this is not 1987 but still tell people about the problems. Apparently. The actual reality is if you do use them then you are controlling them through risk management and compensating controls.
Physical Storage Media Transfers
So we are going to move some physical media or paper about the place? If you must you must. But if you do then
- Someone needs to be assigned responsibility for notifying it will happen, making it happen and getting a reciept that it happened. Nice work if you can get it.
- Send it to the right person, in the right way, eh? I mean, come on.
- Nothing stops a thief like a package so packaging is covered. Packaging has its place. Think amazon. Package that bad boy before you send it.
- I am not a fan of Evri per se, but then this is not my call and other couriers are available so you need to have an agreed list. The standard says of reliable couriers. Which is hilarious. Just have a list of the least shit.
- It wants you to have courier identification standards. Which is vague AF. Pick mainstreams ones and you will be ok. Or you could try asking – ‘are you a courier’ before handing over priceless data and if the answer is ‘er, yes’ then I think you are golden.
- Log everything!
Verbal Transfers
Oh my sweet god, so we are in the realms of thought police. I wish you god speed with this one but lets look at what the standard believes people will do.
- No confidential chit chats in public places!
- No answer machine messages with that confidential data on. ‘Hi, this is Stuart, I am not available right now so please leave your confidential information after the beep……’
- Screen people to the appropriate level to listen to the conversation – Bwhhahhh hhahhha hhhaaa
- Have room controls in place like sound proofing – which is a little to 50 shades of grey for my liking. Please come into this sound proof room so I may whisper confidential information at you.
- Begin any sensitive conversation with a disclaimer. Of course. Obvious really. Give it a try. People will love you for it.
What are the 3 transfer methods of ISO 27001 now covered?
The 3 transfer methods of ISO 27001 that are now explicitly covered are
- Electronic
- Physical
- Verbal
Watch the Implementation Video
In the video ISO 27001 Information Transfer Explained – ISO27001:2022 Annex A 5.14 show you how to implement it and how to pass the audit.
ISO 27001 Templates
If you want to write these yourself I totally commend you. And pity you in equal measure. You could save months of effort with these templates that take 25 years of experience and distill it in a pack of prewritten best practice awesomeness.
How to comply
To comply with ISO 27001 Annex A 5.14 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to
- Get yourself a topic specific policy and communicate it
- Implement your classification scheme
- Define and Implement your procedures, rules and agreements for transfers
- Communicate and make sure people follow said procedures, rules and agreements
How to pass an audit
To pass an audit of ISO 27001 Annex A 5.14 you are going to make sure that you have followed the steps above in how to comply.
What the auditor will check
The audit is going to check a number of areas. Lets go through them
1. That you have not done something stupid
The auditor is going to check the rules, procedures and agreements and make sure you followed them. As with everything having documented evidence of anything you can is going to be your friend. So practical things like physical media transfer logs, risk register items and evidences of training. Work through each transfer type and look for the gotchas. Sure you use a secure courier but did you agree it and have them listed some where? Sure you start every conversation with a disclaimer, and now for shits and giggles, with the auditor would be the time to polish off and demonstrate your unique verbal skills.
2. That you have rules, processes, agreement and you have followed them and have trained people
This is obvious but they are going to look that you have documented what you say you do, that you follow it and that you have trained people.
3. Documentation
They are going to look at audit trails and all your documentation and see that is classified and labelled. All the documents that you show them, as a minimum if they are confidential should be labelled as such. Doing anything else would be a massive own goal.
Top 3 Mistakes People Make
The top 3 Mistakes People Make For ISO 27001 Annex A 5.14 are
1. Your teams go around you and do what they want because your controls make their life a living hell
Be practical and realistic in what you put in place. No one likes a smart arse but they hate people who make their job more difficult way more. If you make it too hard they will just go around you. You have ZERO way to check, audit or impose on private conversations or private communications over things like WhatsApp and text. It just isn’t realistic. Don’t be a dick, be someone who takes the spirit of what is required and implements in with reasoned appropriateness. This is a risk based management system. Not a rule based system. Controls are for consideration and the level you implement is down to you and the risk to your business.
2. One or more members of your team haven’t done what they should have done
Prior to the audit check that all members of the team have done what they should have, understand how to transfer information and have been trained in it.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
FAQ
For ISO 27001 Annex A 5.14 Information Transfer you will need the ISO 27001 Information Transfer Policy
ISO 27001 Annex A 5.14 Information Transfer is important because people are going to send information and you want it to go only to the people intended in the format you intended it. It isn’t just bad guys that want to get a hold of the data. Not sending it in the right way and sending it to the wrong person is a great way to either be embarrassed, or face legal and regulatory retaliation.
Yes. Whilst the ISO 27001 Annex A clauses are for consideration to be included in your Statement of Applicability there is no reason we can think of that would allow you to exclude ISO 27001 Annex A 5.14. Information transfer is a fundamental part of your control framework and any management system. They are explicitly required for ISO 27001.
Yes. You can write the policies for ISO 27001 Annex A 5.14 yourself. You will need a copy of the standard and approximately 5 days of time to do it. It would be advantageous to have a background in information security management systems. There are a number of documents you will require as well as the policy for information transfer. Alternatively you can download them in the ISO 27001 toolkit.
ISO 27001 templates that support ISO 27001 Annex A 5.14 are located in the ISO 27001 toolkit.
ISO 27001 Annex A 5.14 is hard. Mainly as some of the requirements are unreasonable. The documentation required is extensive. We would recommend templates to fast track your implementation.
ISO 27001 Annex A 5.14 will take approximately 1 to 3 month to complete if you are starting from nothing and doing a full implementation. With the right risk management approach and an ISO 27001 Toolkit it should take you less than 1 day.
The cost of ISO 27001 Annex A 5.14 will depend how you go about it. If you do it yourself it will be free but will take you about 1 to 3 months so the cost is lost opportunity cost as you tie up resource doing something that can easily be downloaded and managed via risk management.
Related ISO 27001 Controls
ISO 27001 Addressing Information Security Within Supplier Agreements: Annex A 5.20
ISO 27001 Compliance With Policies, Rules And Standards For Information Security: Annex A 5.36
Further Reading
The complete guide to ISO/IEC 27002:2022
ISO 27001 Risk Treatment – Tutorial
ISO 27001 controls and attribute values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Confidentiality | Protect | Information protection | Protection |
| Integrity | Asset management | |||
| Availability |
