ISO 27001:2022 Annex A Control 5.14 (A.5.14)

Explaining Control 5.14 (A.5.14) Information transfer

ISO 27001 Annex A Control 5.14 specifies the requirements for ensuring secure communication methods, clear responsibilities, and consistent procedures. This control covers all forms of data transfer—electronic, physical, and verbal—and establishes guidelines for preventing unauthorized access, interception, or loss of information during transit.

Iso 27001 Annex A Control 5.14 (A.5.14)

Control Type

  • Preventive

Information Security Properties

  • Confidentiality
  • Integrity
  • Availability

Cybersecurity Concepts

  • Protect

Operational Capabilities

  • Asset Management
  • Information Protection

Security Domains

  • Protection

Objective of Control 5.14

The objective of ISO 27001 Control 5.14 is to protect your organization’s information against security risks that arise when data is moved from one place to another. By defining how information should be shared internally and externally, this control helps your organization:

  • Maintain confidentiality by preventing unauthorized disclosure.
  • Preserve integrity by preventing unauthorized changes or tampering.
  • Ensure availability by minimizing disruptions that can arise during or after the transfer process.

The focus is on creating a reliable environment in which data can be transmitted while meeting legal, regulatory, and business requirements.

Purpose of Information Transfer Security

The primary purpose of implementing proper information transfer security measures is to establish robust practices that reduce the likelihood of accidental or deliberate compromise. Your organization can achieve this by:

  1. Maintaining clearly documented rules and procedures that address various modes of data transfer.
  2. Ensuring that employees, contractors, and third parties understand their roles and responsibilities for safeguarding information.
  3. Applying a classification-based approach to determine the level of protection needed, especially for sensitive or confidential data.
  4. Enabling traceability and accountability to detect and address incidents when they occur.

Scope and Applicability of Information Transfer

Information transfer applies to all data that moves within your organization’s network or flows between your organization and external parties. This includes:

  • Electronic Transfer: Email, instant messaging, cloud file sharing, virtual private networks, or any other internet-based communication platform.
  • Physical Storage Media: Paper documents, USB drives, DVDs, or other transportable media.
  • Verbal Communication: Phone calls, video conferencing, in-person discussions, or voicemail messages.

Policy and Procedures for Secure Information Transfer

Information Transfer Policy

A dedicated policy on secure information transfer provides high-level guidance on how data should be handled in transit. This policy should:

  • Align with your organization’s overall information security policies.
  • Be communicated to all employees, contractors, and relevant third parties.
  • Outline responsibilities for maintaining security and define what constitutes permitted and restricted transfer methods.

Classification of Information

Your organization should classify data based on sensitivity and assign protective measures accordingly. Examples of classification levels include public, internal, confidential, or restricted. For highly sensitive information, stricter controls such as encryption or restricted courier services may be required.

Transfer Agreements

Formal agreements with external parties ensure that both sides maintain consistent security practices. These transfer agreements usually cover:

  • Authentication requirements for receiving parties.
  • Approved methods of sending and receiving data.
  • Required protective measures (e.g., cryptographic techniques).
  • Responsibilities and liabilities in the event of data breaches or mishandling.

Roles and Responsibilities

All individuals involved in an information transfer should have clear responsibilities. These roles can include:

  • Information Owners: Define security requirements and classification levels.
  • Risk Owners: Evaluate threats and vulnerabilities related to data in transit.
  • Security Officers: Oversee implementation of security controls and training.
  • Custodians: Handle day-to-day processes such as packaging and courier arrangements.

Traceability and Non-Repudiation

Log all transfer activities so you can trace each step if a security incident arises. Methods for achieving traceability include:

  • Using chain-of-custody forms for physical media.
  • Keeping system-generated logs for electronic file exchanges.
  • Requiring digital signatures or other forms of non-repudiation.

Legal, Regulatory, and Contractual Compliance

Depending on your jurisdiction and industry, your organization may have to follow specific regulations related to data protection or privacy. These could include retention guidelines, disposal procedures, and requirements for electronic signatures. Your policies should reflect these requirements to ensure compliance.

Transfer Methods and Recommended Controls

Electronic Information Transfer

Electronic transfer methods require technical safeguards to reduce the risks of interception or unauthorized modification. The steps below enhance confidentiality, integrity, and availability when you share information across digital channels:

  1. Encryption: Protect sensitive attachments or messages by using strong encryption methods (e.g., AES-256).
  2. Malware Protection: Implement antivirus or anti-malware solutions to scan files before sending or receiving them.
  3. Address Verification: Check recipients’ email addresses, especially when transferring large or confidential files.
  4. Access Control: Enforce multi-factor authentication or secure login for external-facing portals.
  5. Usage Restrictions: Restrict auto-forwarding to external addresses. Monitor file-sharing platforms and instant messaging tools.

Physical Media Transfer

Physical forms of data can be equally vulnerable, so appropriate measures include:

  1. Packaging and Labelling: Place storage media in sealed, tamper-evident envelopes. Label each package according to its classification level.
  2. Courier Selection: Use trusted courier services. Confirm courier identification upon pickup and delivery.
  3. Environmental Protections: Store sensitive media in containers that guard against heat, moisture, or magnetic fields.
  4. Chain-of-Custody: Maintain detailed logs indicating when the media was transferred, by whom, and to whom.

These controls mitigate the risks of accidental damage, unauthorized access, or loss of physical assets during transit.

Verbal Communication

Verbal communication can inadvertently lead to leakage if not handled carefully:

  1. Secured Spaces: Conduct sensitive discussions in private meeting rooms or secure areas to prevent eavesdropping.
  2. Phone and Voicemail Use: Avoid leaving confidential details on voicemail or answering machines.
  3. Participant Screening: Verify that all participants are authorized to receive sensitive data.
  4. Conversation Initiation: Start a discussion with a reminder of the classification level to keep all participants aware of handling requirements.

Incident Management and Reporting

A clear and concise incident management plan enables your organization to detect, report, and address any information security incidents related to data in transit. This process includes:

  • Rapid reporting to designated security officers or incident response teams.
  • Identification and assessment of the incident’s scope.
  • Containment strategies to prevent further exposure or damage.
  • Root cause analysis to determine how the breach occurred.
  • Creation of a remediation plan, including updates to policies or procedures if necessary.

Other Relevant ISO 27001 Controls

Implementing Control 5.14 often intersects with other ISO 27001 controls. Coordinating these controls creates a cohesive security framework that addresses the risks of transferring data. 

  • Control 5.10: Topic-specific policies and acceptable use of resources.
  • Control 5.13: Labeling rules to match information classification.
  • Controls 5.315.325.335.34: Specific regulatory and legal requirements.
  • Control 8.7: Malware prevention for secure electronic communication.
  • Control 8.24: Cryptographic techniques for protecting data at rest and in transit.

Templates and Tools for Implementing Secure Information Transfer

You may benefit from structured resources to streamline implementation of Control 5.14:

  • Information Transfer Policy Template: Outlines mandatory requirements and practical instructions on data sharing.
  • Chain-of-Custody Forms: Standardized documents for logging physical media handovers and transfers.
  • Risk Assessment Tool: Helps you identify which transfer methods pose the greatest threats to your data.
  • Encryption Guidelines: Provide straightforward procedures for setting up and managing encryption solutions.
  • Third-Party Agreement Template: Ensures external parties comply with the same security standards.

Summary of Control 5.14 Best Practices

ISO 27001 Control 5.14 focuses on protecting data while it is moved within or beyond your organization. It accentuates structured policies, classification-driven protection measures, and formal agreements with third parties. Via defining roles, implementing technical and procedural controls, and ensuring detailed record-keeping, your organization creates a robust environment for transferring information securely. This proactive approach helps protect confidentiality, integrity, and availability, while also supporting compliance with relevant laws and regulations.

Control 5.13
ISO 27001 overview
Control 5.15