ISO 27001 – Annex A.13: Communications Security

What is the objective of Annex A.13.1?

Annex A.13.1 is about network security management. The objective in this Annex is to ensure the protection of information in networks and its supporting information processing facilities. It’s an important part of the information security management system (ISMS) especially if you’d like to achieve ISO 27001 certification.

A.13.1.1 Network Controls

Networks must be managed and controlled in order to protect information within systems and applications. Put in simple terms, the organisation should use appropriate methods in order to ensure it is protecting any information within its systems and applications. These network controls should consider all operations of the business carefully, be adequately and proportionately designed, and implemented according to business requirements, risk assessment, classifications and segregation requirements as appropriate.

Some possible examples of technical controls for consideration may include; Connection control and endpoint verification, firewalls and intrusion detection/prevention systems, access control lists, and physical, logical or virtual segregation. It is also important to enforce the fact that when connecting to public networks or those of other organisations outside organisational control, to consider the increased risk levels and to manage these risks with additional controls as appropriate.

You will need to bear in mind that the auditor will be looking to see these implemented controls are effective and managed appropriately, including the use of formal change management procedures.

A.13.1.2 Security of Network Services

Security mechanisms, service levels and management requirements of all network services need to be identified and included in network services agreements, whether these services are provided in-house or outsourced. Put into simple terms, the organisation should include all the various security measures it is taking in order to secure its network services, in its network services agreements. Your auditor will want to see that the design and implementation of networks takes into account both the business requirements and security requirements, achieving a balance that is adequate and proportionate to both. They will be looking for evidence of this, along with evidence of a risk assessment.

A.13.1.3 Segregation in Networks

Groups of information services, users and information systems should be segregated on networks. Wherever possible consider segregating duties of network operations and computer/system operations e.g. public domains, dept x or y domains. The network design and control must align to and support information classification policies and segregation requirements.

What is the objective of Annex A.13.2?

Annex A.13.2 is about information transfer. The objective in this Annex is to maintain the security of information transferred within the organisation and with any external entity e.g a customer, supplier or other interested party.

A.13.2.1 Information Transfer Policies & Procedures

Formal transfer policies, procedures and controls must be in place to protect the transfer of information through the use of all types of communication facilities. Whatever type of communication facility is in use, it is important to understand the security risks involved in relation to the confidentiality, integrity and availability of the information and this will need to take into account the type, nature, amount and sensitivity or classification of the information being transferred. It is especially important to implement such policies and procedures when information is being transferred out of or into the organisation from third parties. Different but complementary controls may be required to protect information being transferred from interception, copying, modification, mis-routing and destruction and should be considered holistically when identifying which controls are to be selected.

A.13.2.2 Agreements on Information Transfer

Information may be transferred digitally or physically and agreements must address the secure transfer of business information between the organisation and any external parties. Formal transfer policies procedures and technical controls should be selected, implemented, operated, monitored, audited and reviewed to ensure ongoing effective security protection. Often, communications and transfer systems and procedures are put in place, without a real understanding of the risks involved which therefore creates vulnerabilities and possible compromise. ISO 27002 touches on implementation considerations including consideration of notifications, traceability, escrow, identification standards, chain of custody, cryptography, access control and others.

A.13.2.3 Electronic Messaging

Any information that is involved in any form of electronic messaging needs to be appropriately protected. Put in simple terms, when using electronic messaging, it should be protected to ensure no unauthorised access can be gained The organisation should create a policy which sets out which forms of electronic messaging should be used for the different types of information being transferred, e.g. depending on how secure they are. Considerations will also need to be made for voice & fax communications transfer, and physical transfer (e.g. via postal systems). This should align with access controls and other secure authentication policies and log-on procedures.

A.13.2.4 Confidentiality or Non-Disclosure Agreements

A good control describes how the requirements for confidentiality or non-disclosure agreements that reflect the organisation’s needs for the protection of information must be identified, regularly reviewed and documented. As such the organisation needs to ensure that any information that needs to be protected, is done so through the use of confidentiality and non-disclosure agreements.

Agreements are usually specific to the organisation and should be developed with its control needs in mind following the risk analysis work. Standard agreements for confidentiality and non-disclosure that may warrant consideration here include:

• General non-disclosure and mutual non-disclosure agreements e.g. when sharing sensitive information e.g. about new business ideas.
• Customer agreements using standard terms and conditions – expressing confidentiality within the context of the use of products sold and any complementary services outlined in a related order form.
• Associate/supplier/partner agreements used for small suppliers and independent service providers who the organisation use for delivery of services.
• Employment related terms (aligned with A.7).
• Privacy policies e.g. from email footers.