This rule is about information transfer that says a company must have policies, plans, or agreements to make sure information is transferred safely. This includes all types of transfers, both inside the company and with other groups.
Table of contents
What is Information Transfer?
Information transfer is usually defined as the process of sending data or knowledge between two or more parties. This sharing can happen in any situation and uses a variety of channels or media.
What is ISO 27001 Annex A 5.14?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Information Transfer”.
What is the ISO 27001 Annex A 5.14 control objective?
The formal definition and control objective in the standard is: “Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organisation and between the organisation and other parties.”
What is the purpose of ISO 27001 Annex A 5.14?
The purpose of ISO 27001 Annex A 5.14 is “to ensure that you maintain the security of information transferred within an organisation and with any external interested party.“
The main goal is to protect information while it is being moved. Information is at its highest risk of being lost or stolen while it’s in transit. This rule helps keep your data safe from being shared, read, changed, copied, or lost by accident.
Is ISO 27001 Annex A 5.14 Mandatory?
ISO 27001 Annex A control 5.14 (Information Transfer in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.14 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Types of Transfers
This rule covers three types of information transfer:
- Electronic: This includes things like emails, file transfers, or sharing documents in the cloud. You should use things like encryption to keep data safe.
- Physical: This is about moving things you can touch, like paper documents or USB drives. You should use special bags and use trusted couriers.
- Verbal: This is about talking, like in-person chats or phone calls. You should not have private talks in public places or leave private messages on voicemail.
Key Parts of the Rule
The rule requires you to set up a policy and procedures for transferring information based on the specific topic and the information’s security classification.
General requirements that apply to all transfers include:
- Deciding on appropriate safeguards based on how sensitive the information is. This protects it from being accessed, changed, or destroyed without permission.
- Keeping track of the information throughout the process (chain of custody) and making sure it can be followed while it moves.
- Defining the roles and responsibilities for everyone involved in the transfer (like the data owners or security staff).
- Assigning who is responsible if a data breach happens during the transfer.
- Using a clear labelling system to manage the items you are moving.
- Making sure the transfer services you use are available and dependable.
- Following all relevant laws, regulations, and contract terms about moving information.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will look for:
- A written policy for information transfer.
- Plans that explain how you will move data.
- Agreements with other companies that say how data will be handled.
