What does control A.3.7 require?
Information transfer rules, procedures, or agreements related to processing PII shall be in place for all types of transfer facilities within the organisation and between the organisation and other parties.
This control sits within the shared security controls (Table A.3) and applies to both PII controllers and PII processors. It addresses the security of PII in transit, complementing the controller-specific transfer controls in A.1.5 which focus on the legal and governance aspects of international transfers.
What does the implementation guidance say?
Annex B (section B.3.7) provides the following guidance:
- Ensure rules related to PII processing are enforced throughout and outside of the system where applicable
- Consider all transfer methods, including electronic transfers (email, file sharing, APIs, cloud synchronisation), physical transfers (portable media, printed documents, courier) and verbal communication
- Transfer rules should specify the security controls required for each method and classification level
- Agreements with external parties should define responsibilities for PII protection during transfer
- Procedures should address the handling of transfer failures, interceptions and lost media
- See also A.3.20: Storage Media for related requirements
- See also A.3.21: Secure Disposal or Re-Use of Equipment for related requirements
The guidance emphasises that transfer security is not limited to encryption. It encompasses the entire lifecycle of a transfer: authorisation, packaging, transmission, receipt confirmation and handling of exceptions.
How does this map to GDPR?
Control A.3.7 maps to GDPR Article 5(1)(f) (integrity and confidentiality principle). The GDPR requires that personal data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Secure transfer procedures are a core component of this obligation.
This control also supports compliance with Article 32 (security of processing), which requires appropriate technical and organisational measures, including as appropriate the encryption of personal data and the ability to ensure the ongoing confidentiality of processing systems.
How does this relate to ISO 29100 privacy principles?
As a shared security control, A.3.7 supports the broader ISO 29100 framework. Transfer security is a direct implementation of the information security principle, ensuring that PII is protected not just at rest but throughout its movement between systems, locations and organisations.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
What evidence do auditors expect?
When assessing compliance with A.3.7, auditors will typically look for:
- Transfer policy or procedures — Documented rules covering all transfer methods (electronic, physical, verbal) with specific provisions for PII
- Encryption standards — Evidence that PII is encrypted in transit using current standards (e.g. TLS 1.2+ for electronic transfers, encrypted containers for portable media)
- Transfer agreements — Executed agreements with external parties that define security requirements for PII in transit
- Technical controls — Configuration evidence for email encryption, secure file transfer platforms, VPNs and API security
- Incident handling — Procedures for dealing with transfer failures, such as lost portable media or intercepted communications
What are the related controls?
| Control | Relationship |
|---|---|
| A.3.5 Classification of information | Classification levels determine the transfer security controls required |
| A.3.6 Labelling of information | Labels make classification visible, helping personnel apply correct transfer procedures |
| A.1.5.2 Basis for PII transfer between jurisdictions | Legal transfer basis (controller control) complements the security measures in A.3.7 |
| A.1.5.4 Records of transfer of PII | Transfer records should reference the security measures applied during transfer |
| A.3.3 Policies for information security | Transfer procedures should be grounded in the overarching security policy |
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was spread across Clauses 6.10.2.1, 6.10.2.2 and 6.10.2.3, covering electronic messaging, information transfer policies and procedures, and confidentiality agreements respectively. The 2025 edition consolidates these into a single control (A.3.7) with unified guidance in B.3.7. This makes the requirement more coherent and easier to implement, while retaining the same substantive scope. See the Annex F correspondence table for the full mapping.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for managing secure information transfer?
ISMS.online provides the tools to document, enforce and evidence your transfer security controls:
- Transfer procedure documentation — Create and maintain transfer procedures for each method (email, file sharing, physical media) with version control and approval workflows
- Supplier and partner management — Store transfer agreements alongside supplier profiles, track compliance with agreed security requirements, and flag when agreements need renewal
- Control evidence — Link technical controls (encryption configurations, secure transfer platform settings) to the relevant policy requirements
- Incident management — Log and track transfer-related incidents with root cause analysis and corrective actions
- Integrated risk register — Assess transfer risks alongside other information security risks, ensuring proportionate controls are applied based on classification level
FAQs
Does this control only apply to external transfers?
No. The control explicitly covers transfers “within the organisation and between the organisation and other parties.” Internal transfers, such as moving PII between departments, systems or locations within the same organisation, must also be subject to transfer rules. This includes internal email, file sharing between teams, data replication between data centres, and physical movement of documents between offices.
What encryption standards should be used for PII in transit?
As a minimum, use TLS 1.2 or later for electronic transfers. For email, consider S/MIME or PGP for sensitive PII. For portable media, use AES-256 encryption. For API transfers, enforce HTTPS with mutual TLS where possible. The specific standards should be proportionate to the classification level of the PII being transferred and aligned with current industry best practice and regulatory guidance.
How should we handle verbal transfers of PII?
Verbal communication of PII (e.g. phone calls, in-person discussions) should be covered by your transfer procedures. Consider measures such as identity verification before disclosing PII verbally, avoiding discussion of sensitive PII in public spaces, using secure communication channels for sensitive conversations, and training personnel on appropriate verbal handling of personal data.
