- See ISO 27002:2022 Control 5.14 for more information.
- See ISO 27001:2013 Annex A 13.2.1 for more information.
- See ISO 27001:2013 Annex A 13.2.2 for more information.
- See ISO 27001:2013 Annex A 13.2.3 for more information.
The Essentials of Secure Information Transfer: ISO 27001 5.14
The purpose of ISO 27001:2022 Annex A 5.14 is to ensure the security of all user devices.
This means that measures must be taken to protect the devices from malicious software and other threats, as well as to maintain the confidentiality, integrity and availability of the data stored on them.
ISO 27001:2022 Annex A Control 5.14 mandates organisations to install the necessary rules, procedures, or contracts to maintain data security when shared internally or sent to external parties.
Ownership of ISO 27001:2022 Annex A Control 5.14
The backing and acceptance of senior management is essential for the formation and execution of regulations, protocols, and contracts.
It is, however, imperative to have the collaboration and specialist knowledge of various players within the organisation, such as the legal staff, IT personnel, and top brass.
The legal team should ensure the organisation enters into transfer agreements that adhere to ISO 27001:2022 Annex A Control 5.14. Additionally, the IT team should be actively involved in specifying and executing controls for safeguarding data, as indicated in 5.14.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
General Guidance on ISO 27001:2022 Annex A 5.14
Ensuring compliance with 5.14 requires the creation of rules, procedures and agreements, including a data transfer policy that is specific to the topic, and gives data in transit an appropriate protection level according to the classification it is assigned.
The level of security should be proportional to the importance and sensitivity of the data being sent. ISO 27001:2022 Annex A 5.14 also requires organisations to enter into transfer agreements with recipient third parties to ensure secure transmission of data.
ISO 27001:2022 Annex A Control 5.14 categorises transfer types into three groups:
- Electronic transfer.
- Physical storage media transfer.
- Verbal transfer.
Before progressing to detail the specific demands of each type of transfer, ISO 27001:2022 Annex A Control 5.14 outlines the elements that must be present in all regulations, procedures, and contracts pertaining to all three transfers in general:
- Organisations must determine appropriate controls based on the classification level of information in order to protect it while in transit from unauthorised access, alteration, interception, duplication, destruction and denial-of-service assaults.
- Organisations must keep track of the chain of custody while in transit and establish and carry out controls to guarantee the traceability of data.
- Specify who is involved in the data transfer and give their contact info, such as the data owners and the security personnel.
- In the event of a data breach, liabilities shall be allocated.
- Implement a labelling system to keep track of items.
- Ensuring the transfer service is available.
- Guidelines regarding the methods of information transfer should be developed according to specific topics.
- Guidelines for storing and discarding all business documents, including messages, must be followed.
- Examine the impact any applicable laws, regulations, or other obligations may have on the transfer.
Supplementary Guidance on Electronic Transfer
ISO 27001:2022 Annex A Control 5.14 details the specific content requirements for rules, procedures and agreements associated with the three types of transfers. The minimum content requirements must be adhered to across all three.
Rules, agreements and procedures should address the following considerations when transferring information electronically:
- The identification and thwarting of malware assaults is paramount. It is essential that you use the latest technology to detect and prevent attacks from malicious software.
- Ensuring the security of confidential information found in the attachments sent.
- Ensure communications are sent to the appropriate recipients by avoiding the risk of sending to the incorrect email address, address or phone number.
- Gain permission before beginning to utilise any public communication services.
- Stricter authentication methods should be employed when sending data via public networks.
- Imposing limits on the usage of e-communication services, e.g. prohibiting automated forwarding.
- Advise personnel to avoid using short message or instant message services to share sensitive data, as the content could be viewed by unauthorised individuals in public areas.
- Advise staff and other interested parties on the protection risks that fax machines may pose, such as unauthorised access or misdirecting messages to certain numbers.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Supplementary Guidance on Physical Storage Media Transfer
When information is physically shared, rules, procedures, and agreements should include:
- Parties are responsible for notifying each other of the transmission, dispatch and receipt of information.
- Ensuring the message is addressed correctly and sent appropriately.
- Good packaging eliminates the chance of damage to the contents during transit. For example, the packaging should be resistant to heat and moisture.
- A reliable, authorised courier list has been agreed upon by management.
- An overview of courier identification standards.
- For sensitive and critical information, tamper-resistant bags should be employed.
- Verifying the identities of couriers is important.
- This list of third parties, classified according to their level of service, provides transportation or courier services and has been approved.
- Record the time of delivery, authorised receiver, safety measures taken and confirmation of receipt at the destination in a log.
Supplementary Guidance on Verbal Transfer
Personnel must be made aware of the risks associated with exchanging information within the organisation or transmitting data to external parties, in accordance with ISO 27001:2022 Annex A Control 5.14. These risks include:
- They should refrain from discussing confidential matters in insecure public channels or in public areas.
- One ought not leave voicemails with confidential information due to the danger of replay by those not authorised, as well as the risk of re-routing to third parties.
- Individuals, both staff and other applicable third parties, should be screened prior to being granted admission to conversations.
- Rooms used for confidential conversations should be fitted with necessary soundproofing.
- Prior to engaging in any sensitive dialogue, a disclaimer should be issued.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Changes and Differences From ISO 27001:2013?
ISO 27001:2022 Annex A 5.14 supersedes ISO 27001:2013 Annex A 13.2.1, 13.2.2 and 13.2.3.
The two controls bear some resemblance, however two major distinctions make the requirements of 2022 more burdensome.
Specific Requirements for Electric, Physical and Verbal Transfers
Section 13.2.3 in the 2013 version covered the particular demands for the transmission of data by electronic messaging.
However, it did not specifically address the transmission of information through verbal or physical means.
In comparison, the 2022 version is precise in its identification of three types of information transfer, and outlines the necessary content for each of them individually.
ISO 27001:2022 Sets Stricter Requirements for Electronic Transfer
Section 13.2.3 of the 2022 Version sets out more stringent requirements for the content of electronic messaging agreements.
Organisations must detail and execute new regulations for digital transfers in the form of rules, procedures, and contracts for ISO 27001:2022.
For example, organisations should caution their staff against utilising SMS services when transmitting sensitive information.
Detailed Requirements for Physical Transfers
The 2022 version imposes stricter regulations on the physical transfer of storage media. For example, it is more thorough in its authentication of couriers and safeguards against different forms of damage.
Structural Changes
In the 2013 version, an explicit reference was made to the necessary requirements of information transfers agreements. However, the ‘Rules’ and ‘Procedures’ were not outlined in detail.
For ISO 27001:2022, specific criteria are outlined for each of the three approaches.
Table of All ISO 27001:2022 Annex A Controls
In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Organisational Controls | Annex A 5.1 |
Annex A 5.1.1 Annex A 5.1.2 |
Policies for Information Security |
| Organisational Controls | Annex A 5.2 | Annex A 6.1.1 | Information Security Roles and Responsibilities |
| Organisational Controls | Annex A 5.3 | Annex A 6.1.2 | Segregation of Duties |
| Organisational Controls | Annex A 5.4 | Annex A 7.2.1 | Management Responsibilities |
| Organisational Controls | Annex A 5.5 | Annex A 6.1.3 | Contact With Authorities |
| Organisational Controls | Annex A 5.6 | Annex A 6.1.4 | Contact With Special Interest Groups |
| Organisational Controls | Annex A 5.7 | NEW | Threat Intelligence |
| Organisational Controls | Annex A 5.8 |
Annex A 6.1.5 Annex A 14.1.1 |
Information Security in Project Management |
| Organisational Controls | Annex A 5.9 |
Annex A 8.1.1 Annex A 8.1.2 |
Inventory of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.10 |
Annex A 8.1.3 Annex A 8.2.3 |
Acceptable Use of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.11 | Annex A 8.1.4 | Return of Assets |
| Organisational Controls | Annex A 5.12 | Annex A 8.2.1 | Classification of Information |
| Organisational Controls | Annex A 5.13 | Annex A 8.2.2 | Labelling of Information |
| Organisational Controls | Annex A 5.14 |
Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3 |
Information Transfer |
| Organisational Controls | Annex A 5.15 |
Annex A 9.1.1 Annex A 9.1.2 |
Access Control |
| Organisational Controls | Annex A 5.16 | Annex A 9.2.1 | Identity Management |
| Organisational Controls | Annex A 5.17 |
Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3 |
Authentication Information |
| Organisational Controls | Annex A 5.18 |
Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6 |
Access Rights |
| Organisational Controls | Annex A 5.19 | Annex A 15.1.1 | Information Security in Supplier Relationships |
| Organisational Controls | Annex A 5.20 | Annex A 15.1.2 | Addressing Information Security Within Supplier Agreements |
| Organisational Controls | Annex A 5.21 | Annex A 15.1.3 | Managing Information Security in the ICT Supply Chain |
| Organisational Controls | Annex A 5.22 |
Annex A 15.2.1 Annex A 15.2.2 |
Monitoring, Review and Change Management of Supplier Services |
| Organisational Controls | Annex A 5.23 | NEW | Information Security for Use of Cloud Services |
| Organisational Controls | Annex A 5.24 | Annex A 16.1.1 | Information Security Incident Management Planning and Preparation |
| Organisational Controls | Annex A 5.25 | Annex A 16.1.4 | Assessment and Decision on Information Security Events |
| Organisational Controls | Annex A 5.26 | Annex A 16.1.5 | Response to Information Security Incidents |
| Organisational Controls | Annex A 5.27 | Annex A 16.1.6 | Learning From Information Security Incidents |
| Organisational Controls | Annex A 5.28 | Annex A 16.1.7 | Collection of Evidence |
| Organisational Controls | Annex A 5.29 |
Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3 |
Information Security During Disruption |
| Organisational Controls | Annex A 5.30 | NEW | ICT Readiness for Business Continuity |
| Organisational Controls | Annex A 5.31 |
Annex A 18.1.1 Annex A 18.1.5 |
Legal, Statutory, Regulatory and Contractual Requirements |
| Organisational Controls | Annex A 5.32 | Annex A 18.1.2 | Intellectual Property Rights |
| Organisational Controls | Annex A 5.33 | Annex A 18.1.3 | Protection of Records |
| Organisational Controls | Annex A 5.34 | Annex A 18.1.4 | Privacy and Protection of PII |
| Organisational Controls | Annex A 5.35 | Annex A 18.2.1 | Independent Review of Information Security |
| Organisational Controls | Annex A 5.36 |
Annex A 18.2.2 Annex A 18.2.3 |
Compliance With Policies, Rules and Standards for Information Security |
| Organisational Controls | Annex A 5.37 | Annex A 12.1.1 | Documented Operating Procedures |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| People Controls | Annex A 6.1 | Annex A 7.1.1 | Screening |
| People Controls | Annex A 6.2 | Annex A 7.1.2 | Terms and Conditions of Employment |
| People Controls | Annex A 6.3 | Annex A 7.2.2 | Information Security Awareness, Education and Training |
| People Controls | Annex A 6.4 | Annex A 7.2.3 | Disciplinary Process |
| People Controls | Annex A 6.5 | Annex A 7.3.1 | Responsibilities After Termination or Change of Employment |
| People Controls | Annex A 6.6 | Annex A 13.2.4 | Confidentiality or Non-Disclosure Agreements |
| People Controls | Annex A 6.7 | Annex A 6.2.2 | Remote Working |
| People Controls | Annex A 6.8 |
Annex A 16.1.2 Annex A 16.1.3 |
Information Security Event Reporting |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Physical Controls | Annex A 7.1 | Annex A 11.1.1 | Physical Security Perimeters |
| Physical Controls | Annex A 7.2 |
Annex A 11.1.2 Annex A 11.1.6 |
Physical Entry |
| Physical Controls | Annex A 7.3 | Annex A 11.1.3 | Securing Offices, Rooms and Facilities |
| Physical Controls | Annex A 7.4 | NEW | Physical Security Monitoring |
| Physical Controls | Annex A 7.5 | Annex A 11.1.4 | Protecting Against Physical and Environmental Threats |
| Physical Controls | Annex A 7.6 | Annex A 11.1.5 | Working In Secure Areas |
| Physical Controls | Annex A 7.7 | Annex A 11.2.9 | Clear Desk and Clear Screen |
| Physical Controls | Annex A 7.8 | Annex A 11.2.1 | Equipment Siting and Protection |
| Physical Controls | Annex A 7.9 | Annex A 11.2.6 | Security of Assets Off-Premises |
| Physical Controls | Annex A 7.10 |
Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5 |
Storage Media |
| Physical Controls | Annex A 7.11 | Annex A 11.2.2 | Supporting Utilities |
| Physical Controls | Annex A 7.12 | Annex A 11.2.3 | Cabling Security |
| Physical Controls | Annex A 7.13 | Annex A 11.2.4 | Equipment Maintenance |
| Physical Controls | Annex A 7.14 | Annex A 11.2.7 | Secure Disposal or Re-Use of Equipment |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Technological Controls | Annex A 8.1 |
Annex A 6.2.1 Annex A 11.2.8 |
User Endpoint Devices |
| Technological Controls | Annex A 8.2 | Annex A 9.2.3 | Privileged Access Rights |
| Technological Controls | Annex A 8.3 | Annex A 9.4.1 | Information Access Restriction |
| Technological Controls | Annex A 8.4 | Annex A 9.4.5 | Access to Source Code |
| Technological Controls | Annex A 8.5 | Annex A 9.4.2 | Secure Authentication |
| Technological Controls | Annex A 8.6 | Annex A 12.1.3 | Capacity Management |
| Technological Controls | Annex A 8.7 | Annex A 12.2.1 | Protection Against Malware |
| Technological Controls | Annex A 8.8 |
Annex A 12.6.1 Annex A 18.2.3 |
Management of Technical Vulnerabilities |
| Technological Controls | Annex A 8.9 | NEW | Configuration Management |
| Technological Controls | Annex A 8.10 | NEW | Information Deletion |
| Technological Controls | Annex A 8.11 | NEW | Data Masking |
| Technological Controls | Annex A 8.12 | NEW | Data Leakage Prevention |
| Technological Controls | Annex A 8.13 | Annex A 12.3.1 | Information Backup |
| Technological Controls | Annex A 8.14 | Annex A 17.2.1 | Redundancy of Information Processing Facilities |
| Technological Controls | Annex A 8.15 |
Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3 |
Logging |
| Technological Controls | Annex A 8.16 | NEW | Monitoring Activities |
| Technological Controls | Annex A 8.17 | Annex A 12.4.4 | Clock Synchronization |
| Technological Controls | Annex A 8.18 | Annex A 9.4.4 | Use of Privileged Utility ProgramsAccess Rights |
| Technological Controls | Annex A 8.19 |
Annex A 12.5.1 Annex A 12.6.2 |
Installation of Software on Operational Systems |
| Technological Controls | Annex A 8.20 | Annex A 13.1.1 | Networks Security |
| Technological Controls | Annex A 8.21 | Annex A 13.1.2 | Security of Network Services |
| Technological Controls | Annex A 8.22 | Annex A 13.1.3 | Segregation of Networks |
| Technological Controls | Annex A 8.23 | NEW | Web filtering |
| Technological Controls | Annex A 8.24 |
Annex A 10.1.1 Annex A 10.1.2 |
Use of Cryptography |
| Technological Controls | Annex A 8.25 | Annex A 14.2.1 | Secure Development Life Cycle |
| Technological Controls | Annex A 8.26 |
Annex A 14.1.2 Annex A 14.1.3 |
Application Security Requirements |
| Technological Controls | Annex A 8.27 | Annex A 14.2.5 | Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents |
| Technological Controls | Annex A 8.28 | NEW | Secure Coding |
| Technological Controls | Annex A 8.29 |
Annex A 14.2.8 Annex A 14.2.9 |
Security Testing in Development and Acceptance |
| Technological Controls | Annex A 8.30 | Annex A 14.2.7 | Outsourced Development |
| Technological Controls | Annex A 8.31 |
Annex A 12.1.4 Annex A 14.2.6 |
Separation of Development, Test and Production Environments |
| Technological Controls | Annex A 8.32 |
Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4 |
Change Management |
| Technological Controls | Annex A 8.33 | Annex A 14.3.1 | Test Information |
| Technological Controls | Annex A 8.34 | Annex A 12.7.1 | Protection of Information Systems During Audit Testing |
[case_study_slider ids=”88859,101932,92016″ autoplay=”true” autoplay_speed=”5000″]
How ISMS.online Helps
Implementing ISO 27001:2022 can be made simpler with our step-by-step checklist. It will guide you through the entire process from defining the scope of your ISMS to identifying risks and implementing controls.
Book your demonstration today. Appointments are available seven days a week, so schedule yours at a time that works for you.
