Communications SecurityISO 27001 Annex A.13
What is the objective of Annex A.13.1 of ISO 27001:2013?
Annex A.13.1 is about network security management. The objective in this Annex is to ensure the protection of information in networks and its supporting information processing facilities. It’s an important part of the information security management system (ISMS) especially if you’d like to achieve ISO 27001 certification. Lets understand those requirements and what they mean in a bit more depth now.
A.13.1.1 Network Controls
Networks must be managed and controlled in order to protect information within systems and applications. Put in simple terms, the organisation should use appropriate methods in order to ensure it is protecting any information within its systems and applications. These network controls should consider all operations of the business carefully, be adequately and proportionately designed, and implemented according to business requirements, risk assessment, classifications and segregation requirements as appropriate. Some possible examples of technical controls for consideration may include; Connection control and endpoint verification, Firewalls and intrusion detection/prevention systems, access control lists, and physical, logical or virtual segregation. It is also important to enforce the fact that when connecting to public networks or those of other organisations outside organisational control, it is important to consider the increased risk levels and to manage these risks with additional controls as appropriate.
You will need to bare in mind that the auditor will be looking to see that these implemented controls are effective and managed appropriately, including the use of formal change management procedures.
A.13.1.2 Security of Network Services
Security mechanisms, service levels and management requirements of all network service need to be identified and included in network services agreements, whether these services are provided in-house or outsourced. Put into simple terms, the organisation should include all the various security measures it is taking in order to secure its network services, in its network services agreements. Your auditor will want to see that the design and implementation of networks takes into account both the business requirements and security requirements, achieving a balance that is adequate and proportionate to both. They will be looking for evidence of this, along with evidence of a risk assessment.
A.13.1.3 Segregation in Networks
Groups of information services, users and information systems shall be segregated on networks. Put into simple terms, the organisation should ensure that it’s networks segregate groups of information services, users and information systems appropriately. Wherever possible consider segregating duties of network operations and computer/system operations. The network design and control must align to and support classification policies and segregation requirements.
What is the objective of Annex A.13.2 of ISO 27001:2013?
Annex A.13.2 is about information transfer. The objective in this Annex is to maintain the security of information transferred within an organisation and with any external entity. Once again, it’s an important part of the information security management system (ISMS) especially if you would like to achieve ISO 27001 certification. Lets understand those requirements and what they mean in a bit more depth now.
A.13.2.1 Information Transfer Policies & Procedures
Formal transfer policies, procedures and controls must be in place to protect the transfer of information through the use of all types of communication facilities. Whatever type of communication facility is in use, it is important to understand the security risks involved in relation to the confidentiality, integrity and availability of the information and this will need to take into account the type, nature, amount and sensitivity or classification of the information being transferred. It is especially important to implement such policies and procedures when information is being transferred out of or into the organisation from third parties. Different but complementary controls may be required to protect information being transferred from interception, copying, modification, mis-routing and destruction and should be considered holistically when identifying which controls are to be selected.
A.13.2.2 Agreements on Information Transfer
Agreements must address the secure transfer of business information between the organisation and any external parties. Put in simple terms, the organisation should ensure that when they transfer information between themselves and other businesses or individuals, it should be done as securely as possible, e.g. over secure networks. Formal transfer policies procedures and technical controls should be selected, implemented, operated, monitored, audited and reviewed to ensure ongoing effective security protection. Often, communications and transfer systems and procedures are put in place, without a real understanding of the risks involved which therefore creates vulnerabilities and possible compromise.
A.13.2.3 Electronic Messaging
Any information that is involved in any form of electronic messaging needs to be appropriately protected. Put in simple terms, when using electronic messaging within the organisation, it should be protected to ensure no unauthorised access can be gained. For example, authentication allowing the use of the organisations electronic messaging services should be controlled by the organisations password policy. The organisation should create a policy which sets out which forms of electronic messaging should be used for the different types of information being transferred, e.g. depending on how secure they are. Considerations will also need to be made for voice & fax communications transfer, and physical transfer (e.g. via postal systems).
A.13.2.4 Confidentiality or Non-Disclosure Agreements
A good control describes how the requirements for confidentiality or non-disclosure agreements that reflect the organisation’s needs for the protection of information must be identified, regularly reviewed and documented. Put into simple terms, the organisation needs to ensure that any information that is has which needs to be protected, is done so through the use of confidentiality and non-disclosure agreements.
This policy is very specific to your organisation and should therefore be developed with your control needs in mind following your risk analysis work. Standard agreements and policies you may want to consider here include:
- Customer agreements using standard terms and conditions – expressing confidentiality within the context of the use of products sold and any complementary services outlined in a related order form.
- Alliance, prospect and other preparatory disclosures that may be made in the lead up to a more formal customer agreement.
- Associate/supplier agreements used for small suppliers and independent service providers who the organisation use for delivery of services ranging from software development through to on site client training.
- Check the limitations of software terms, ensuring they provide the required access for organisations and their customers to access certain software products.
- Employment related terms.
- Sensitive information access forms.
- Software products – user registration terms – an agreement reinforcing that users, whether from a customer or their partners, adhere to the relevant terms on which their organisation has adopted your software services. This includes confidentiality.
How does ISMS.online help with Information Security Incident Management?
ISMS.online has made this control objective very easy with it’s built in tools that can be adopted in just minutes to demonstrate the work being done. The risk map tool allows risks to be added to the map and places based on their likelihood and impact, therefore giving you more of an idea of what decisions to make when selecting the appropriate levels of policy and procedure implementation in regard to information transfer. ISMS.online has also helped make this control objective easier with its easy-to-use reminders that can be applied to certain tasks and policies, ensuring that you keep up with your periodic audits and reviews.
Discover how you can save time & reduce management resource using ISMS.online to achieve & maintain your ISO 27001 ISMS
The ISO 27001 requirements are listed below:
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement
The ISO 27001 Annex A Controls are listed below:
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
Need a set of ISO 27001 policies for your ISMS?
ISMS.online includes practical policies and controls for your organisation to easily adopt, adapt and add to, giving you a
77% head start with ISO 27001