ISO 27001:2022 Annex A Control 5.14

Annex A Control 5.14 has been created to ensure security across all user devices. It addresses the measures that should be taken to protect devices from malicious software, while also maintaining the integrity, confidentiality and availability of the data they hold.

Annex 5.14 outlines how organisations must implement rules, procedures or contracts to maintain data security when shared either internally or externally.

Ownership of Annex A Control 5.14

Control 5.14 calls for the formation and execution of regulations, protocols and contracts. This requires the endorsement of senior management. Collaboration and specialist knowledge from team members within an organisation is also essential – including personnel from within legal teams and IT departments.

The legal team must be involved in making sure the organisation adheres to Control 5.14 in any transfer agreements, while the IT team should be actively involved in specifying and executing safeguarding data controls.

Understanding 5.14 compliance

5.14 compliance dictates that a number of rules, procedures and agreements should be put in place, including a data transfer policy. This policy must be tailored to the topic, and should give transferred data an appropriate level of protection.

Security levels should be proportional to the sensitivity of the data being sent. Annex 5.14 mandates that organisations enter into transfer agreements with recipient third parties to make sure data transmission is secure.

ISO27001:2022 Annex A Control 5.14 outlines three types of transfer:

• Electronic transfer
• Physical storage media transfer
• Verbal transfer

Ensuring secure data transfer

Annex A 5.14 outlines the elements that should be present in every regulation, procedure, and contract pertaining to all three kinds of transfer. These are:

• Organisations must determine controls based on the classification of information to protect it while in transit from unauthorised access, interception, alteration, duplication, or destruction.
• Organisations must keep record of the chain of custody while in transit and establish controls to guarantee data traceability.
• Organisations must specify who is involved in the data transfer and provide contact information.

• In the event of a data breach, liabilities should be allocated.
• Organisations should implement a labelling system to keep track of items.
• Organisations should ensure transfer service is available.
• Guidelines should be developed regarding the methods of information transfer, according to specific topics.
• Guidelines for storing and discarding business documents must be followed.
• Organisations must examine the impact on transfer of any applicable laws, regulations, or other obligations.

Electric transfer

Control 5.14 outlines specific guidelines for each other the transfer types. When transferring information electronically, rules, agreements, and procedures should address the following:

• Identification and thwarting of malware assaults. It is essential that the latest tech is implemented to detect and prevent attacks.
• Ensure the security of confidential information found in the attachments sent.
• Communications must be sent to appropriate recipients by avoiding the risk of sending to incorrect email addresses, phone numbers, or addresses.
• Gain permission before utilising public communication services.
• Strict authentication methods should be employed when sending data via public networks.
• Impose limits on the usage of e-communication services.
• Advise staff to avoid using instant messaging to share sensitive data, as it could be viewed by unauthorised individuals.
• Advise staff and relevant parties on the protection risks that fax machines may pose.

Physical storage media transfer

When physically sharing information, rules and procedures should include:

• Parties are responsible for notifying each other of the transmission, dispatch, and receipt of information.
• Ensure messages are addressed correctly and sent appropriately.

• Good packaging eliminates the risk of damage to the contents during transit.
• A reliable, authorised courier list agreed upon by management.
• Overview of courier identification standards.
• Tamper resistant bags for sensitive and critical information.
• Identity verification for couriers.
• Records of time of delivery, authorised receiver, safety measures taken, and confirmation of receipt.

Verbal transfer

There are risks associated with the verbal transformation of information both within the organisation and when transmitting data to external sources. Advisories for mitigating these risks suggest that organisations should:

• Refrain from discussion confidential matters in public or insecure areas.
• Avoid leaving voicemails with confidential information.
• Screen staff and third parties before being made privy to sensitive conversations.
• Provide suitable soundproofing in rooms used for confidential discussions.
• Issue disclaimers before engaging in sensitive dialogue.

What has changed since ISO 27001:2013?

There are some major distinctions between the older and newer versions of the Information Transfer control.

The first of these is the specific requirements for electric, physical, and verbal transfers. Unlike the 2013 version, the 2022 version is precise in its identification of the three transfer types, and outlines the necessary content for each of them individually.

The 2022 version also sets out more stringent requirements for the content of electronic messaging agreements. Organisations must detail and execute new regulations for digital transfers, including rules, procedures, and contracts.

There are now also stricter regulations on the physical transfer of storage media, being more thorough in its authentication of couriers and safeguards.