Home / ISO 27001 Templates / ISO 27001 Information Transfer Policy Explained + Template

ISO 27001 Information Transfer Policy Explained + Template

Last updated Sep 22, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

An ISO 27001 Information Transfer Policy is your company’s simple guide for sending and receiving information safely. It’s like a set of traffic rules for your data, making sure your valuable information gets from point A to point B without any accidents or detours.

What is it?
Applicability to Small Businesses, Tech Startups, and AI Companies
ISO 27001 Information Transfer Policy Template
Why you need it
When you need it
Who needs it?
Where you need it
How to write it
How to implement it
Examples of using it for small businesses
Examples of using it for tech startups
Examples of using it for AI companies
How the ISO 27001 toolkit can help
Information security standards that need it
List of relevant ISO 27001:2022 controls
ISO 27001 Information Transfer Policy Example
ISO 27001 Information Transfer Policy FAQ

What is it?

This policy is a set of rules that tells you and your team how to transfer information securely. It covers all the different ways you might move data, like sending emails, sharing files in the cloud, or even physically carrying a hard drive. The goal is to prevent information from being lost, stolen, or changed while it’s in transit.

Applicability to Small Businesses, Tech Startups, and AI Companies

This policy is perfect for any size company that handles data. Here’s how it applies:

Small Businesses: It helps you formalise how you send client invoices and share marketing materials with partners.
Tech Startups: It’s crucial for securely sharing code, project files, and customer feedback with your team and contractors.
AI Companies: It’s essential for protecting the data used to train your models and for sharing your AI’s outputs with clients.

ISO 27001 Information Transfer Policy Template

The ISO 27001:2022 Information Transfer Policy Template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in the ISO 27001 toolkit.

Why you need it

You need this policy to keep your sensitive information safe from prying eyes. It helps you prevent data breaches and shows clients and partners that you’re serious about protecting their information. It also ensures everyone in the company follows the same safe practices, so there’s no confusion.

When you need it

You need this policy any time you transfer information outside your company’s secure network. This includes sending a file to a client, sharing a document with a contractor, or even using a third-party app to communicate. You’ll also use it when you’re setting up new ways to share information.

Who needs it?

Anyone in your company who sends, receives, or handles information needs to follow this policy. This includes sales teams sharing customer data, developers sending code to a partner, and HR staff transferring employee records. It’s a policy for everyone!

Where you need it

This policy applies to every way you transfer information. This means it covers your company email, your cloud storage services like Google Drive or Dropbox, and even physical methods like a USB stick.

How to write it

Writing the policy is easy if you focus on clarity. Start by listing the different ways your company transfers information. Then, create simple rules for each method, like using encryption for sensitive emails or only sharing files through approved, secure platforms. Use simple language that everyone can understand.

Time needed: 1 hour and 30 minutes

How to write an ISO 27001 Information Transfer Policy

Create your version control and document mark-up
ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.
Write the ISO 27001 Information Transfer Policy contents page
Document Version Control
Document Contents Page
Information Transfer Policy
Purpose
Scope
Principles
Information Virus Checking
Information Encryption
Data Transfer Methods
Preferred Transfer Method
Data Transfer by Email
Data transfers by post/courier
Data transfers on removable media / memory sticks
Telephones, Mobile Phones and General Conversations
Data Transfers over Bluetooth
Lost or missing information
Policy Compliance
Compliance Measurement
Exceptions
Non-Compliance
Continual Improvement
Areas of the ISO27001 Standard Addressed
Write the ISO 27001 Information Transfer Policy purpose
The purpose of this policy is ensuring that correct treatment when transferring information internally and externally to the company and to protect the transfer of information using all types of communication facilities.
Write the ISO 27001 Information Transfer Policy principle
Data transfer must comply with all legal and regulation legislation requirements including but not limited to the GDPR and Data Protection Act 2018.
Formal agreements that include non-disclosure and confidentially clauses must be in place for data sharing prior to the data transfer.
Personal data must not be transferred outside the European Economic Area without legal consent, justification, and legal mechanisms in place.
No personal or confidential information is to be transferred unencrypted.
All transfers are in line with the Information Classification and Handling Policy
Write the ISO 27001 Information Transfer Policy scope
All employees and third-party users.
Information that forms part of systems and applications deemed in scope by the ISO 27001 scope statement.
Explain information virus checking
Information that is transferred is virus checked before being sent or before being opened when received.
Describe information encryption
Personal and confidential information is always encrypted before being transferred.
Encryption credentials for username and password where used are shared via two separate and distinct communication methods. The preferred method is to share the username via email and the password via a voice call.
Set out the data transfer methods and controls
Preferred Transfer Method
The preferred transfer method is (- describe how we transfer data based on DropBox, Sharefile, Google Drive, One Drive, Company portal).

Data Transfer by Email
Email is never the best solution for transferring information as it is not secure and is not a guaranteed delivery mechanism.
Consideration is always given to an alternative secure method of transferring sensitive data wherever possible and practicable.
Email communication should not be used to transfer unencrypted personal or confidential information.
Email messages must contain clear instructions of the recipient’s responsibilities and instructions on what to do if they are not the correct recipient.
Care must be taken as to what information is placed in the subject line of the email or in the accompanying message. Filename or subject line must not reveal the full contents of attachments or disclose any sensitive personal data.
The use of a personal email account is not permitted.

Data transfers by post/courier
Data transfers which occur via physical media such as paper reports, memory cards or CDs must only be dispatched via the company approved secure courier with a record of collection and a signature obtained upon delivery. The use of Royal Mail first class, second class, special delivery or recorded delivery is not permitted.
The recipient should be clearly stated on the parcel and the physical media must be securely packaged so that it does not break or crack.
The recipient should be advised in advance that the information is being sent so that they are aware when to expect the information. The recipient must confirm safe receipt as soon as the information arrives. The sender responsible for sending the data is responsible for confirming the data has arrived safely.

Data transfers on removable media / memory sticks
Only company owned removable media is to be used for transferring information in line with policy the device usage is approved, recorded in the asset register, assigned, and encrypted.
The removable media must be returned to the owner on completion of the transfer and the transferred data must be securely erased from the storage device after use. The asset register must be updated.
Clear instructions of the recipient’s responsibilities and instructions on what to do if they are not the intended recipient must be given.
Any accompanying message or filename must not reveal the contents of the media.
The process described for Data transfers by post / courier must be followed.

Telephones, Mobile Phones and General Conversations
As phone calls may be monitored, overheard, or intercepted (either deliberately or accidentally), care must be taken as follows:
Be conscious of your surroundings especially on public transport such as trains and public places such as coffee shops when discussing personal, confidential, or otherwise sensitive information.
Personal data must not be transferred or discussed over the telephone unless you have confirmed the identity and authorisation of the recipient.
When using answer phones do not leave sensitive or confidential messages or include any personal data. Only provide a means of contact and wait for the recipient to speak to you personally.
When listening to answer phone messages left for yourself, ensure you do not play them in open plan areas which risks others overhearing. Delete them immediately after listening.

Data Transfers over Bluetooth
Bluetooth is not approved as a communication method for unencrypted confidential, personal, or otherwise sensitive data.
Ensure device mutual authentication is performed for all accesses.
Enable encryption for all broadcast transmissions (Encryption Mode 3).
Configure encryption key sizes to the maximum allowable.
Establish a ―minimum key size for any key negotiation process. Keys should be at least 128 bits long
For Bluetooth: Use application-level (on top of the Bluetooth stack) authentication and encryption for sensitive data communication such as SSL.
Perform pairing as infrequently as possible, ideally in a secure area where attackers cannot realistically observe the passkey entry and intercept Bluetooth pairing messages.
Note: A “secure area” is defined as a non-public area that is indoors away from windows in locations with physical access controls.
Users should not respond to any messages requesting a PIN, unless the user has initiated a pairing and is certain the PIN request is being sent by one of the users ‘s devices.
Use only Security Mode 3 and 4. Modes 1 and 2 should not be allowed. Security Mode 3 is preferred but v.2.1 devices cannot use Security Mode 3.
Users should not accept transmissions of any kind from unknown or suspicious devices. These types of transmissions include messages, files, or images.
All Bluetooth profiles except for Serial Port Profile should be always disabled, and the user should not be able to enable them.
Describe the process for lost or missing information
If it is discovered or suspected that information has been lost, is missing, did not arrive, or has gone to the wrong person then the employee or external party user is required to inform at least one of their line manager, the information security management team, the management review team, or the senior management team immediately at which point the company Incident Management Process will be followed.

How to implement it

To put the policy into action, you’ll first share it with everyone in the company. You can hold a quick training session to explain the rules. Then, you can use technical tools to help enforce the policy, like setting up email encryption or using a secure file-sharing service.

Examples of using it for small businesses

Your policy might state that all financial documents sent to your accountant must be encrypted. It might also require that you only use a specific secure platform for sharing client project files.

Examples of using it for tech startups

For a startup, this policy could specify that all code shared with external developers must be sent through a secure code repository. It could also outline a rule that customer data can never be sent over email.

Examples of using it for AI companies

An AI company’s policy might include rules for how to transfer large datasets securely, perhaps by using a dedicated secure server. It would also specify how to protect the intellectual property in your AI models when sharing them with clients.

How the ISO 27001 toolkit can help

An ISO 27001 toolkit is a great shortcut. It often includes pre-written policies, procedures, and forms that you can use right away. It saves you the hassle of writing everything from scratch and helps you make sure you don’t miss any important details.

Get the Small Business ISO 27001 Toolkit >

Information security standards that need it

This policy is a key part of ISO 27001 certification, but it’s also very useful for other standards like HIPAA (for health data) and the General Data Protection Regulation (GDPR ) (for personal data). These standards require you to have controls in place to protect information during transfer.

List of relevant ISO 27001:2022 controls

The ISO 27001:2022 standard has one main control that relate to information transfer – ISO 27001:2022 Annex A 5.14 Information transfer

ISO 27001 Information Transfer Policy Example

An example of an ISO 27001:2022 Information Transfer Policy:

ISO 27001 Information Transfer Policy Example 2

ISO 27001 Information Transfer Policy Example 4

ISO 27001 Information Transfer Policy Example 5

ISO 27001 Information Transfer Policy Example 6

ISO 27001 Information Transfer Policy FAQ

What’s the main goal of this policy?

To keep information safe when it’s being moved from one place to another.

Is this policy only for digital transfers?

No, it covers both digital and physical transfers.

Who is responsible for the policy?

The person in charge of your ISMS, but everyone must follow it.

How often should we update our policy?

You should review it at least once a year.

What happens if we don’t follow it?

It can lead to data breaches, loss of customer trust, and legal problems.

Is this policy a one-time project?

No, it’s a living document that you should continually use and update.

Does this policy cover emails?

Yes, it should include rules for how to send sensitive information via email.

What is encryption?

It’s a way of scrambling information so that only authorised people can read it.

How long should we keep records of transfers?

The policy should specify a retention period based on legal and business requirements.

Do we need a separate policy for each type of transfer?

No, this single policy can cover all your transfer methods.

What if a team member uses an unapproved service?

The policy should explain the risks and consequences of using unapproved tools.

How does this help with compliance?

It provides clear evidence that you are protecting data in transit, which is crucial for audits.

Is this policy mandatory for ISO 27001?

Yes, having a policy for information transfer is required.

What’s the first step to creating our policy?

Find a good template and decide who will be in charge of it.

Tags: ISO 27001 Policy Templates

Stuart Barker
ISO 27001 Expert and Thought Leader

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.