ISO 27001 Annex A 5.14 is a rule that says a company must have policies, plans, or agreements to make sure information is moved safely. This includes all types of transfers, both inside the company and with other groups.
What It’s About
The main goal is to protect information while it is being moved. Information is at its highest risk of being lost or stolen while it’s in transit. This rule helps keep your data safe from being shared, read, changed, copied, or lost by accident.
Types of Transfers
This rule covers three types of information transfer:
- Electronic: This includes things like emails, file transfers, or sharing documents in the cloud. You should use things like encryption to keep data safe.
- Physical: This is about moving things you can touch, like paper documents or USB drives. You should use special bags and use trusted couriers.
- Verbal: This is about talking, like in-person chats or phone calls. You should not have private talks in public places or leave private messages on voicemail.
What an Auditor Looks For
An auditor will check to see that you have a written policy for information transfer. They will also look for plans that explain how you will move data. Finally, they will check for agreements with other companies that say how data will be handled.
Frequently Asked Questions
Do I need a written policy?
Yes, you do need a written policy. It is a key piece of evidence for an auditor.
What is the biggest mistake people make?
The biggest mistake is to ignore this rule. You have to think about how data moves in your company and how to protect it on its journey.
Is this rule hard to follow?
No, it is not very hard. You do not need special technical skills. You just need to understand how information moves in your company and how to keep it safe.