ISO 27001 Annex A 5.14 Information Transfer

ISO 27001Information Transfer

I am going to show you what ISO 27001 Annex A 5.14 Information Transfer is, what’s new, give you ISO 27001 templates, an ISO 27001 toolkit, show you examples, do a walkthrough and show you how to implement it.

I am Stuart Barker the ISO 27001 Ninja and using over two decades of experience on hundreds of ISO 27001 audits and ISO 27001 certifications I show you exactly what changed in the ISO 27001:2022 update and exactly what you need to do for ISO 27001 certification.

What is ISO 27001 Annex A 5.14 Information Transfer?

ISO 27001:Annex A 5.14 Information Transfer is an ISO 27001 control that requires an organisation to have rules, procedures or agreements in place for all types of transfer within the organisation and with third parties.

ISO 27001 Annex A 5.14 Purpose

Annex A 5.2 is a preventive control that ensures you maintain the security of information transferred within an organisation and with any external interested party.

ISO 27001 Annex A 5.14 Definition

The 27001 standard defines ISO 27001 Annex A 5.14 as:

Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organisation and between the organisation and other parties.

ISO 27001:2022 Annex A 5.14 Information Transfer

ISO 27001:2022 Changes

Ok, so the changes to the 2022 version of the standard are in part practical but in equal part absolutely fking hilarious. It is like people sit in a room and think, what makes the least sense that we can make people do. Take for example fax machines, or disclaimers before you talk to anyone. Absolute drivel but a good laugh. Still there is some good stuff in here like fleshing out the transfer methods with a little more guidance on physical and electronic. Verbal guidance belongs in the bin and is totally unmanageable and un auditable but still, we cover it below.

Implementation Guide

The prerequisite for the this annex a control is having an information classification scheme in place. We covered information classification in – ISO 27001 Annex A 5.12 Classification of Information Beginner’s Guide

Once you have your classification scheme in place you are going to then implement rules, procedures and agreements to protect information in transit based on its classification and the classification scheme you have established.

You are going to have to

• Establish and communicate a topic specific policy on information transfer
• Implement rules, procedures and/ or agreements for information transfer to protect information in transit
• Cover information and other associated assets in all formats

Remembering that information transfer can be done in many ways including through electronic transfer, physical storage media transfer and even verbal transfer.

Let us explore what the standard is expecting for each transfer method.

All information transfers

For all information transfer

• Implement controls proportionate to the information classification and business risk to protect against destruction, interception, unauthorised access, copying, modification – basically to protect the confidentiality, integrity and availability of the information.
• Put in place the ability to ensure traceability and the fancy word of non repudiation which includes a chain of custody wile in transit. Do you know who had it and what they did with it and can you prove it if you need to?
• The standard loves having owners so you will have the usual suspects of data owners, risk owners and all the roles and responsibilities defined by the management system. Those involved in the transfer of information should really be defined along with their contact details.
• Put in place who does what if there is a breach or an incident and who is going to be liable
• Obviously as we covered in ISO 27001 Annex A 5.13 Labelling Of Information Beginner’s Guide – you are going to have information labelling.
• In the top trumps of requirements the law always wins so clearly you will look at the legal register you have completed and look at relevant laws, regulations and contractual requirements that apply to you and follow them for information transfer.
• Set out your guidelines on storage and deletion of business records, and messages.
• Ensure the availability of the transfer service.

Electronic Transfers

There are some extra things you will have to do for electronic transfers. Nothing unusual but they are

• Detect and protect against malware and viruses
• If you use attachments and they include sensitive information – protect them.
• When you send something to someone make sure it is the correct someone.
• If you simply must use public means like instant messaging, get approval first. And then put in place some stronger measures and stricter authentication.
• Tell people not to message or SMS critical information. You can tell them. They won’t listen. And no one can check as they are private. Still, be sure to tell them eh?

Fax Machines

I mean WTAF but still, people use them apparently. The standard is all nice and vague about advising people of the problems of using them. It omits the fact the main problem is this is not 1987 but still tell people about the problems. Apparently. The actual reality is if you do use them then you are controlling them through risk management and compensating controls.

Physical Storage Media Transfers

So we are going to move some physical media or paper about the place? If you must you must. But if you do then

• Someone needs to be assigned responsibility for notifying it will happen, making it happen and getting a reciept that it happened. Nice work if you can get it.
• Send it to the right person, in the right way, eh? I mean, come on.
• Nothing stops a thief like a package so packaging is covered. Packaging has its place. Think amazon. Package that bad boy before you send it.
• I am not a fan of Evri per se, but then this is not my call and other couriers are available so you need to have an agreed list. The standard says of reliable couriers. Which is hilarious. Just have a list of the least shit.
• It wants you to have courier identification standards. Which is vague AF. Pick mainstreams ones and you will be ok. Or you could try asking – ‘are you a courier’ before handing over priceless data and if the answer is ‘er, yes’ then I think you are golden.
• Log everything!

Verbal Transfers

Oh my sweet god, so we are in the realms of thought police. I wish you god speed with this one but lets look at what the standard believes people will do.

• No confidential chit chats in public places!
• No answer machine messages with that confidential data on. ‘Hi, this is Stuart, I am not available right now so please leave your confidential information after the beep……’
• Screen people to the appropriate level to listen to the conversation – Bwhhahhh hhahhha hhhaaa
• Have room controls in place like sound proofing – which is a little to 50 shades of grey for my liking. Please come into this sound proof room so I may whisper confidential information at you.
• Begin any sensitive conversation with a disclaimer. Of course. Obvious really. Give it a try. People will love you for it.

What are the 3 transfer methods of ISO 27001 now covered?

The 3 transfer methods of ISO 27001 that are now explicitly covered are

• Electronic
• Physical
• Verbal

ISO 27001 Information Transfer Templates

If you want to write these yourself I totally commend you. And pity you in equal measure. You could save months of effort with these templates that take 25 years of experience and distill it in a pack of prewritten best practice awesomeness.

How to comply with ISO 27001 Annex A 5.14

To comply with ISO 27001 Annex A 5.14 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to

• Get yourself a topic specific policy and communicate it
• Implement your classification scheme
• Define and Implement your procedures, rules and agreements for transfers
• Communicate and make sure people follow said procedures, rules and agreements

How to pass an audit of ISO 27001 Annex A 5.14

To pass an audit of ISO 27001 Annex A 5.14 you are going to make sure that you have followed the steps above in how to comply.

You are going to do that by first conducting an internal audit, following the How to Conduct an ISO 27001 Internal Audit Guide.

What will an audit check?

The audit is going to check a number of areas. Lets go through them

1. That you have not done something stupid

The auditor is going to check the rules, procedures and agreements and make sure you followed them. As with everything having documented evidence of anything you can is going to be your friend. So practical things like physical media transfer logs, risk register items and evidences of training. Work through each transfer type and look for the gotchas. Sure you use a secure courier but did you agree it and have them listed some where? Sure you start every conversation with a disclaimer, and now for shits and giggles, with the auditor would be the time to polish off and demonstrate your unique verbal skills.

2. That you have rules, processes, agreement and you have followed them and have trained people

This is obvious but they are going to look that you have documented what you say you do, that you follow it and that you have trained people.

3. Documentation

They are going to look at audit trails and all your documentation and see that is classified and labelled. All the documents that you show them, as a minimum if they are confidential should be labelled as such. Doing anything else would be a massive own goal.

Top 3 Mistakes People Make

The top 3 Mistakes People Make For ISO 27001 Annex A 5.14 are

1. Your teams go around you and do what they want because your controls make their life a living hell

Be practical and realistic in what you put in place. No one likes a smart arse but they hate people who make their job more difficult way more. If you make it too hard they will just go around you. You have ZERO way to check, audit or impose on private conversations or private communications over things like WhatsApp and text. It just isn’t realistic. Don’t be a dick, be someone who takes the spirit of what is required and implements in with reasoned appropriateness. This is a risk based management system. Not a rule based system. Controls are for consideration and the level you implement is down to you and the risk to your business.

2. One or more members of your team haven’t done what they should have done

Prior to the audit check that all members of the team have done what they should have, understand how to transfer information and have been trained in it.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Why is ISO 27001 Information Transfer Important?

ISO 27001 Annex A 5.14 Information Transfer is important because people are going to send information and you want it to go only to the people intended in the format you intended it. It isn’t just bad guys that want to get a hold of the data. Not sending it in the right way and sending it to the wrong person is a great way to either be embarrassed, or face legal and regulatory retaliation.

ISO 27001 Information Transfer FAQ

Get the Help of the ISO 27001 Ninja

Book your FREE 30 Minute ISO 27001 Strategy Call and let me show you how you can do it 30x cheaper and 10x faster that you ever thought possible.

Matrix of ISO 27001 controls and ISO 27001 attribute values

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Preventive	Confidentiality	Protect	Information protection	Protection
	Integrity			Asset management
	Availability