ISO 27001 - Annex A.13: Communications Security
What is the objective of Annex A.13.1 of ISO 27001:2013?
Annex A.13.1 is about network security management. The objective in this Annex is to ensure the protection of information in networks and its supporting information processing facilities. It’s an important part of the information security management system (ISMS) especially if you’d like to achieve ISO 27001 certification. Lets understand those requirements and what they mean in a bit more depth now.
A.13.1.1 Network Controls
Networks must be managed and controlled in order to protect information within systems and applications. Put in simple terms, the organisation should use appropriate methods in order to ensure it is protecting any information within its systems and applications. These network controls should consider all operations of the business carefully, be adequately and proportionately designed, and implemented according to business requirements, risk assessment, classifications and segregation requirements as appropriate. Some possible examples of technical controls for consideration may include; Connection control and endpoint verification, firewalls and intrusion detection/prevention systems, access control lists, and physical, logical or virtual segregation. It is also important to enforce the fact that when connecting to public networks or those of other organisations outside organisational control, to consider the increased risk levels and to manage these risks with additional controls as appropriate.
You will need to bear in mind that the auditor will be looking to see these implemented controls are effective and managed appropriately, including the use of formal change management procedures.
A.13.1.2 Security of Network Services
Security mechanisms, service levels and management requirements of all network services need to be identified and included in network services agreements, whether these services are provided in-house or outsourced. Put into simple terms, the organisation should include all the various security measures it is taking in order to secure its network services, in its network services agreements. Your auditor will want to see that the design and implementation of networks takes into account both the business requirements and security requirements, achieving a balance that is adequate and proportionate to both. They will be looking for evidence of this, along with evidence of a risk assessment.
A.13.1.3 Segregation in Networks
Groups of information services, users and information systems should be segregated on networks. Wherever possible consider segregating duties of network operations and computer/system operations e.g. public domains, dept x or y domains. The network design and control must align to and support information classification policies and segregation requirements.
What is the objective of Annex A.13.2 of ISO 27001:2013?
Annex A.13.2 is about information transfer. The objective in this Annex is to maintain the security of information transferred within the organisation and with any external entity e.g a customer, supplier or other interested party.
A.13.2.1 Information Transfer Policies & Procedures
Formal transfer policies, procedures and controls must be in place to protect the transfer of information through the use of all types of communication facilities. Whatever type of communication facility is in use, it is important to understand the security risks involved in relation to the confidentiality, integrity and availability of the information and this will need to take into account the type, nature, amount and sensitivity or classification of the information being transferred. It is especially important to implement such policies and procedures when information is being transferred out of or into the organisation from third parties. Different but complementary controls may be required to protect information being transferred from interception, copying, modification, mis-routing and destruction and should be considered holistically when identifying which controls are to be selected.
A.13.2.2 Agreements on Information Transfer
Information may be transferred digitally or physically and agreements must address the secure transfer of business information between the organisation and any external parties. Formal transfer policies procedures and technical controls should be selected, implemented, operated, monitored, audited and reviewed to ensure ongoing effective security protection. Often, communications and transfer systems and procedures are put in place, without a real understanding of the risks involved which therefore creates vulnerabilities and possible compromise. ISO 27002 touches on implementation considerations including consideration of notifications, traceability, escrow, identification standards, chain of custody, cryptography, access control and others.
A.13.2.3 Electronic Messaging
Any information that is involved in any form of electronic messaging needs to be appropriately protected. Put in simple terms, when using electronic messaging, it should be protected to ensure no unauthorised access can be gained The organisation should create a policy which sets out which forms of electronic messaging should be used for the different types of information being transferred, e.g. depending on how secure they are. Considerations will also need to be made for voice & fax communications transfer, and physical transfer (e.g. via postal systems). This should align with access controls and other secure authentication policies and log on procedures.
A.13.2.4 Confidentiality or Non-Disclosure Agreements
A good control describes how the requirements for confidentiality or non-disclosure agreements that reflect the organisation’s needs for the protection of information must be identified, regularly reviewed and documented. As such the organisation needs to ensure that any information that needs to be protected, is done so through the use of confidentiality and non-disclosure agreements.
Agreements are usually specific to the organisation and should be developed with its control needs in mind following the risk analysis work. Standard agreements for confidentiality and non-disclosure that may warrant consideration here include:
- General non-disclosure and mutual non-disclosure agreements e.g. when sharing sensitive information e.g. about new business ideas.
- Customer agreements using standard terms and conditions – expressing confidentiality within the context of the use of products sold and any complementary services outlined in a related order form.
- Associate/supplier/partner agreements used for small suppliers and independent service providers who the organisation use for delivery of services.
- Employment related terms (aligned with A.7).
- Privacy policies e.g. from email footers.
“Using ISMS.online to implement ISO 27001 has been a breath of fresh air. We were previously documenting our ISMS via Word and Excel which was far from ideal. It is easy to use and has lots of good features, as a result it has become a really valuable tool for the business.”
Sacha Manson-Smith – Head of Technology, Beryl
ISO 27001 Annex A Controls
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
ISO 27001 requirements
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement