Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

ISO 27001 Annex A.13: Communications Security

A.13.1 Network Security Management

This area addresses issues with network security management and involves matters concerning data transfers, to ensure that conditions that preserve data confidentiality, integrity and availability are in place.

A.13.1.1 Network controls

Data stored and transferred through company networks needs protection against access, interception, corruption and other possible threats. You should understand all the business needs, risks and assets associated with networking

Permitting outsiders to access your networks will increase the number of threats to the company. Your plan should account for both internal and external access risks.

Relevant controls include but are not limited to

  • Firewalls and prevention systems
  • Access control lists
  • Connection controls
  • End point verifications
  • Network segregation

A.13.1.2 Security of network services

Based on the risk assessment, you should implement security measures to safeguard the data transmitted using network service. Network service agreements must consider business requirements, security requirement and possible threats to have controls to reduce your vulnerabilities.

A.13.1.3 Segregation in networks

Different users and information networks should be segregated across the system. Having separate domains for public access, departmental use, critical systems and management use. This is a much safer method than having all services share the same operations.

A.13.2 Information Transfer

A.13.2.1 Information transfer policies and procedures

Policies are required to support the safe transfer of data between parties across your network. Your standards should support the different types and ensure that there are transfer policies and procedures in place to manage these risks. .

A.13.2.2 Agreements on information transfer

Agreements between your company and third-party representatives must clearly communicate the need to maintain the confidentiality and integrity of all data sent or received on either end.

Both physical and digital copies of information should be protected against loss or viability and align to the requirements included in the agreements based on their classification.

A.13.2.3 Electronic messaging

Any data transferred via digital messaging systems needs to be safeguarded against online threats and aligned to the policy requirements around acceptable forms of e-messaging for different types of information.

High risk or confidential financial information should never be transferred through electronic communication channels unless strong protection is applied as they are at risk of identity theft or fraud.

This protection includes end to end encryption, masking and monitoring of the transmission.

A.13.2.4 Confidentiality or non-disclosure agreements

Non-disclosure agreements are must haves for any institution serious about data protection. Be sure to explain the needs and rights of your company to preserve all forms of data confidentiality. Your contract should be drafted and approved by management and the terms regularly reviewed, amended and updated

Standard forms of nondisclosure agreements may fall under the following categories:

  • general or mutual non-disclosure
  • terms and conditions of customer use
  • associate supplier or partner agreements
  • employment contracts
  • privacy policies.