ISO27001 Annex A 5.14 Information Transfer Beginner’s Guide

ISO27001 Annex A 5.14 Information Transfer and ISO27002 Clause 5.14 Information Transfer Beginner’s Guide

ISO27002: 2022 Clause 5.14 Information Transfer

In this article I lay bare ISO27001 Annex A 5.14 / ISO27002: 2022 Clause 5.14 Information Transfer.

A beginners guide to transfer of information, exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO27001 certification. We show you exactly what changed in the ISO27001:2022 update. I am Stuart Barker the ISO27001 Ninja and this is ISO27001 Annex A 5.14

What is ISO27001 Annex A 5.14?

ISO27001 Annex A 5.14 Information Transfer is an ISO27002: 2022 control that requires an organisation to have rules, procedures or agreements in place for all types of transfer within the organisation and with third parties.

ISO27001 Annex A 5.14 Definition

The ISO27001 standard defines ISO27001 Annex A 5.14 Information Transfer as:

Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties.

ISO27001 Annex A 5.14

ISO 27001 Annex A 5.14 2022 Changes Summary

Ok, so the changes to the 2022 version of the standard are in part practical but in equal part absolutely fking hilarious. It is like people sit in a room and think, what makes the least sense that we can make people do. Take for example fax machines, or disclaimers before you talk to anyone. Absolute drivel but a good laugh. Still there is some good stuff in here like fleshing out the transfer methods with a little more guidance on physical and electronic. Verbal guidance belongs in the bin and is totally unmanageable and un auditable but still, we cover it below.

ISO27001 Annex A 5.14 Implementation Guide

The prerequisite for the this annex a control is having an information classification scheme in place. We covered information classification in – ISO27001 Annex A 5.12 Classification of Information Beginner’s Guide

Once you have your classification scheme in place you are going to then implement rules, procedures and agreements to protect information in transit based on its classification and the classification scheme you have established.

You are going to have to

  • Establish and communicate a topic specific policy on information transfer
  • Implement rules, procedures and/ or agreements for information transfer to protect information in transit
  • Cover information and other associated assets in all formats

Remembering that information transfer can be done in many ways including through electronic transfer, physical storage media transfer and even verbal transfer.

Let us explore what the standard is expecting for each transfer method.

All information transfers

For all information transfer

  • Implement controls proportionate to the information classification and business risk to protect against destruction, interception, unauthorised access, copying, modification – basically to protect the confidentiality, integrity and availability of the information.
  • Put in place the ability to ensure traceability and the fancy word of non repudiation which includes a chain of custody wile in transit. Do you know who had it and what they did with it and can you prove it if you need to?
  • The standard loves having owners so you will have the usual suspects of data owners, risk owners and all the roles and responsibilities defined by the management system. Those involved in the transfer of information should really be defined along with their contact details.
  • Put in place who does what if there is a breach or an incident and who is going to be liable
  • Obviously as we covered in ISO27001 Annex A 5.13 Labelling Of Information Beginner’s Guide – you are going to have information labelling.
  • In the top trumps of requirements the law always wins so clearly you will look at the legal register you have completed and look at relevant laws, regulations and contractual requirements that apply to you and follow them for information transfer.
  • Set out your guidelines on storage and deletion of business records, and messages.
  • Ensure the availability of the transfer service.

Electronic Transfers

There are some extra things you will have to do for electronic transfers. Nothing unusual but they are

  • Detect and protect against malware and viruses
  • If you use attachments and they include sensitive information – protect them.
  • When you send something to someone make sure it is the correct someone.
  • If you simply must use public means like instant messaging, get approval first. And then put in place some stronger measures and stricter authentication.
  • Tell people not to message or SMS critical information. You can tell them. They won’t listen. And no one can check as they are private. Still, be sure to tell them eh?

Fax Machines

I mean WTAF but still, people use them apparently. The standard is all nice and vague about advising people of the problems of using them. It omits the fact the main problem is this is not 1987 but still tell people about the problems. Apparently. The actual reality is if you do use them then you are controlling them through risk management and compensating controls.

Physical Storage Media Transfers

So we are going to move some physical media or paper about the place? If you must you must. But if you do then

  • Someone needs to be assigned responsibility for notifying it will happen, making it happen and getting a reciept that it happened. Nice work if you can get it.
  • Send it to the right person, in the right way, eh? I mean, come on.
  • Nothing stops a thief like a package so packaging is covered. Packaging has its place. Think amazon. Package that bad boy before you send it.
  • I am not a fan of Evri per se, but then this is not my call and other couriers are available so you need to have an agreed list. The standard says of reliable couriers. Which is hilarious. Just have a list of the least shit.
  • It wants you to have courier identification standards. Which is vague AF. Pick mainstreams ones and you will be ok. Or you could try asking – ‘are you a courier’ before handing over priceless data and if the answer is ‘er, yes’ then I think you are golden.
  • Log everything!

Verbal Transfers

Oh my sweet god, so we are in the realms of thought police. I wish you god speed with this one but lets look at what the standard believes people will do.

  • No confidential chit chats in public places!
  • No answer machine messages with that confidential data on. ‘Hi, this is Stuart, I am not available right now so please leave your confidential information after the beep……’
  • Screen people to the appropriate level to listen to the conversation – Bwhhahhh hhahhha hhhaaa
  • Have room controls in place like sound proofing – which is a little to 50 shades of grey for my liking. Please come into this sound proof room so I may whisper confidential information at you.
  • Begin any sensitive conversation with a disclaimer. Of course. Obvious really. Give it a try. People will love you for it.

What are the 3 transfer methods of ISO27001 now covered?

The 3 transfer methods of ISO27001 that are now explicitly covered are

  • Electronic
  • Physical
  • Verbal

ISO27001 Annex A 5.14 Templates

If you want to write these yourself I totally commend you. And pity you in equal measure. You could save months of effort with these templates that take 25 years of experience and distill it in a pack of prewritten best practice awesomeness.

ISO27001 Annex A 5.11 Return of Assets ISO27001 Templates Toolkit

How to comply with ISO27001 Annex A 5.14

To comply with ISO27001 Annex A 5.14 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to

  • Get yourself a topic specific policy and communicate it
  • Implement your classification scheme
  • Define and Implement your procedures, rules and agreements for transfers
  • Communicate and make sure people follow said procedures, rules and agreements

How to pass an audit of ISO27001 Annex A 5.14

To pass an audit of ISO27001 Annex A 5.14 you are going to make sure that you have followed the steps above in how to comply.

You are going to do that by first conducting an internal audit, following the How to Conduct an ISO27001 Internal Audit Guide.

What will an audit check?

The audit is going to check a number of areas. Lets go through them

#1 That you have not done something stupid

The auditor is going to check the rules, procedures and agreements and make sure you followed them. As with everything having documented evidence of anything you can is going to be your friend. So practical things like physical media transfer logs, risk register items and evidences of training. Work through each transfer type and look for the gotchas. Sure you use a secure courier but did you agree it and have them listed some where? Sure you start every conversation with a disclaimer, and now for shits and giggles, with the auditor would be the time to polish off and demonstrate your unique verbal skills.

#2 That you have rules, processes, agreement and you have followed them and have trained people

This is obvious but they are going to look that you have documented what you say you do, that you follow it and that you have trained people.

#3 Documentation

They are going to look at audit trails and all your documentation and see that is classified and labelled. All the documents that you show them, as a minimum if they are confidential should be labelled as such. Doing anything else would be a massive own goal.

Top 3 Annex ISO27001 A 5.14 Mistakes People Make

The top 3 Mistakes People Make For ISO27001 Annex A 5.14 are

#1 Your teams go around you and do what they want because your controls make their life a living hell

Be practical and realistic in what you put in place. No one likes a smart arse but they hate people who make their job more difficult way more. If you make it too hard they will just go around you. You have ZERO way to check, audit or impose on private conversations or private communications over things like WhatsApp and text. It just isn’t realistic. Don’t be a dick, be someone who takes the spirit of what is required and implements in with reasoned appropriateness. This is a risk based management system. Not a rule based system. Controls are for consideration and the level you implement is down to you and the risk to your business.

#2 One or more members of your team haven’t done what they should have done

Prior to the audit check that all members of the team have done what they should have, understand how to transfer information and have been trained in it.

#3 Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Why is ISO27001 Annex A 5.14 Important?

ISO27001 Annex A 5.14 Information Transfer is important because people are going to send information and you want it to go only to the people intended in the format you intended it. It isn’t just bad guys that want to get a hold of the data. Not sending it in the right way and sending it to the wrong person is a great way to either be embarrassed, or face legal and regulatory retaliation.

ISO27001 Annex A 5.14 FAQ

What policies do I need for ISO27001 Annex A 5.14 Information Transfers?

For ISO27001 Annex A 5.14 Information Transfer you will need the ISO27001 Information Transfer Policy: https://hightable.io/product/information-transfer-policy-template/

Are there free templates for ISO27001 Annex A 5.14?

There are templates for ISO27001 Annex A 5.14 located here: https://hightable.io/iso-27001-toolkit/

ISO27001 Annex A 5.14 sample PDF?

ISO27001 Annex A 5.14 Sample PDF: https://hightable.io/iso-27001-toolkit/

Do I have to satisfy ISO27001 Annex A 5.14 for ISO27001 Certification?

Yes. Whilst the ISO27001 Annex A clauses are for consideration to be included in your Statement of Applicability there is no reason we can think of that would allow you to exclude ISO27001 Annex A 5.14. Information transfer is a fundamental part of your control framework and any management system. They are explicitly required for ISO27001.

Can I write polices for ISO27001 Annex A 5.14 myself?

Yes. You can write the policies for ISO27001 Annex A 5.14 yourself. You will need a copy of the standard and approximately 5 days of time to do it. It would be advantageous to have a background in information security management systems. There are a number of documents you will require as well as the policy for information transfer. Alternatively you can download them here: https://hightable.io/iso-27001-toolkit/

Where can I get templates for ISO27001 Annex A 5.14?

ISO27001 templates for ISO27001 Annex A 5.14 are located here: https://hightable.io/iso-27001-toolkit/

How hard is ISO27001 Annex A 5.14?

ISO27001 Annex A 5.14 is hard. Mainly as some of the requirements are unreasonable. The documentation required is extensive. We would recommend templates to fast track your implementation.

How long will ISO27001 Annex A 5.14 take me?

ISO27001 Annex A 5.14 will take approximately 1 to 3 month to complete if you are starting from nothing and doing a full implementation. With the right risk management approach and an ISO27001 Template Toolkit it should take you less than 1 day.

How much will ISO27001 Annex A 5.14 cost me?

The cost of ISO27001 Annex A 5.14 will depend how you go about it. If you do it yourself it will be free but will take you about 1 to 3 months so the cost is lost opportunity cost as you tie up resource doing something that can easily be downloaded and managed via risk management.

Matrix of controls and attribute values

Control typeInformation
security properties
Cybersecurity
concepts
Operational
capabilities
Security domains
#Preventive
#Confidentiality
#Integrity
#Availability
#Protect#Information_protection
#Protection
#Asset_management

See Also

Reference

ISO/IEC 27001 Information Security Management

ISO 27001 Templates Toolkit Business Edition Black
ISO27001 Policy Templates Pack Green

FREE 30 minute ISO27001 strategy session.

Claim your 100% FREE no-obligation 30 minute strategy session call (£1000 value). This is strictly for small businesses who are hungry to get ISO27001 certified up to 10x faster and 30x cheaper.

ISO27001 Certification Stragey Call
Shopping Cart