If you have been working within the world of information security for a while, you know that ISO 27001 isn’t a “set it and forget it” kind of standard. It breathes and evolves just like the technology it protects. One of the most talked-about shifts in the 2022 update involves how we handle the movement of data. Specifically, we are looking at the transition from the old 2013 framework to the updated Annex A 5.14, which covers Information Transfer.
But what actually changed? Is it just a numbering tweak, or is there more under the hood? Let’s break down the evolution of this essential control in a way that actually makes sense.
Table of contents
The Shift from 2013 to 2022: An Overview
In the 2013 version of the standard, the controls surrounding the movement of information were spread across several sub-sections under Annex A.13 (Information Security Aspects of Business Continuity Management). It felt a bit fragmented, focusing heavily on physical media and “electronic messaging.”
Fast forward to the 2022 update, and ISO has streamlined things significantly. Annex A 5.14, titled “Information Transfer,” is now part of the “Organizational Controls” theme. The primary goal of this change was to simplify the structure while making the requirements more applicable to the modern, cloud-heavy, and remote-work-driven world we live in today.
From Annex A.13 to Annex A 5.14
In the older 2013 version, you might remember controls like A.13.2.1 (Information transfer policies), A.13.2.2 (Agreements on information transfer), and A.13.2.3 (Electronic messaging). The 2022 update effectively consolidated these into a more cohesive unit. According to the experts at Hightable.io, this consolidation helps organisations avoid redundancy in their documentation and ensures that transfer security is treated as a single, continuous process rather than a set of isolated tasks.
Key Changes in Language and Scope
One of the most immediate changes you’ll notice in Annex A 5.14 is the move away from dated terminology. While the 2013 version specifically mentioned “electronic messaging” (which often led people to think only of email), the 2022 version uses broader language. It now encompasses all forms of information transfer—whether that is via an API, a cloud sharing platform, a collaboration tool like Slack or Teams, or traditional email.
The 2022 version is much more “technology-neutral.” This means that as new ways to send data emerge, Annex A 5.14 remains relevant without needing another major rewrite of the standard.
New Requirements for Transfer Agreements
While the 2013 version required agreements for information transfer, the 2022 version goes a bit deeper into the “how.” Annex A 5.14 places a heavier emphasis on the security of the transfer itself, not just the rules surrounding it. You are now expected to ensure that the controls are commensurate with the sensitivity of the information being moved.
For example, if you are transferring highly confidential intellectual property, a simple password-protected PDF might have cut it in 2013, but the 2022 standard pushes for more robust end-to-end encryption and verifiable receipt. Hightable.io highlights that the updated control requires clearer definitions of responsibilities between the sender and the recipient to prevent data leaks during transit.
Practical Impact on Your ISMS
If you are transitioning your Information Security Management System (ISMS) from the 2013 version to the 2022 version, your main task for Annex A 5.14 is an update of your Information Transfer Policy. You no longer need separate, clunky procedures for “messaging” and “media transit.” Instead, you can create a unified Information Transfer framework that covers:
- Rules for secure transfer across all communication types.
- Types of encryption required for different data classifications.
- How to handle physical media (which, while rarer, still exists).
- Specific clauses for third-party agreements to ensure they meet your security standards.
Why the Change Matters
The change to Annex A 5.14 reflects the reality of modern business. We are sharing more data, more often, with more people than we were in 2013. By consolidating these controls and broadening the definitions, ISO 27001:2022 makes it easier for businesses to protect their data in transit without getting bogged down in outdated checklists. It’s about being smarter with your security, not just busier.
If you’re currently mapping your transition, remember that while the numbers have changed, the core mission remains: keeping your data safe while it’s on the move. For those looking for detailed templates and transition guides, resources like Hightable.io can provide the specific documentation needed to align with these new Annex A requirements.