All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI SCIM Integration
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base DORA Knowledge Base
Company Security and customers first
About News Partners Contact

ISO 27001 Annex A.13: Communications Security

A.13.1 Network Security Management

This area addresses issues with network security management and involves matters concerning data transfers, to ensure that conditions that preserve data confidentiality, integrity and availability are in place.

A.13.1.1 Network controls

Data stored and transferred through company networks needs protection against access, interception, corruption and other possible threats. You should understand all the business needs, risks and assets associated with networking

Permitting outsiders to access your networks will increase the number of threats to the company. Your plan should account for both internal and external access risks.

Relevant controls include but are not limited to

  • Firewalls and prevention systems
  • Access control lists
  • Connection controls
  • End point verifications
  • Network segregation

A.13.1.2 Security of network services

Based on the risk assessment, you should implement security measures to safeguard the data transmitted using network service. Network service agreements must consider business requirements, security requirement and possible threats to have controls to reduce your vulnerabilities.

A.13.1.3 Segregation in networks

Different users and information networks should be segregated across the system. Having separate domains for public access, departmental use, critical systems and management use. This is a much safer method than having all services share the same operations.

A.13.2 Information Transfer

A.13.2.1 Information transfer policies and procedures

Policies are required to support the safe transfer of data between parties across your network. Your standards should support the different types and ensure that there are transfer policies and procedures in place to manage these risks. .

A.13.2.2 Agreements on information transfer

Agreements between your company and third-party representatives must clearly communicate the need to maintain the confidentiality and integrity of all data sent or received on either end.

Both physical and digital copies of information should be protected against loss or viability and align to the requirements included in the agreements based on their classification.

A.13.2.3 Electronic messaging

Any data transferred via digital messaging systems needs to be safeguarded against online threats and aligned to the policy requirements around acceptable forms of e-messaging for different types of information.

High risk or confidential financial information should never be transferred through electronic communication channels unless strong protection is applied as they are at risk of identity theft or fraud.

This protection includes end to end encryption, masking and monitoring of the transmission.

A.13.2.4 Confidentiality or non-disclosure agreements

Non-disclosure agreements are must haves for any institution serious about data protection. Be sure to explain the needs and rights of your company to preserve all forms of data confidentiality. Your contract should be drafted and approved by management and the terms regularly reviewed, amended and updated

Standard forms of nondisclosure agreements may fall under the following categories:

  • general or mutual non-disclosure
  • terms and conditions of customer use
  • associate supplier or partner agreements
  • employment contracts
  • privacy policies.