ISO 27001:2022 A 5.14 Information transfer

This control requires organizations to put in place appropriate rules, procedures, and/or agreements to maintain the security of data when it is shared within an organization or when transmitted to third parties. When information is transferred to internal or external parties, it creates a heightened risk to the confidentiality, integrity, availability, and security of information transmitted. This control gives requirements that organizations must satisfy to maintain the security of data when it is shared internally or when it flows out of the organization to third parties. Information Transfer control suggests that the organization should have controls in place to ensure that incidents such as interception, unauthorized access, misrouting, modification, and destruction are avoided. It further includes the concept of non-repudiation, which simply means that a person(s) doing something wrong should not be able to walk away by neglecting their actions; therefore, it is recommended that organizations should have proper rules, procedures and agreements in place while transferring any type of information both in physical and digital form. This control considers three types of information transfer, namely, Physical, Electronic and Verbal. It further provides details regarding how each of these methods should be handled, and the required steps to take.


Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties.


To maintain the security of information transferred within an organization and with any external interested party.

ISO 27002 Implementation Guidance


The organization should establish and communicate a topic-specific policy on information transfer to all relevant interested parties. Rules, procedures and agreements to protect information in transit should reflect the classification of the information involved. Where information is transferred between the organization and third parties, transfer agreements (including recipient authentication) should be established and maintained to protect information in all forms in transit. Information transfer can happen through electronic transfer, physical storage media transfer and verbal transfer. For all types of information transfer, rules, procedures and agreements should include:

  1. controls designed to protect transferred information from interception, unauthorized access, copying, modification, misrouting, destruction and denial of service, including levels of access control commensurate with the classification of the information involved and any special controls that are required to protect sensitive information, such as use of cryptographic techniques
  2. controls to ensure traceability and non-repudiation, including maintaining a chain of custody for information while in transit;
  3. identification of appropriate contacts related to the transfer including information owners, risk owners, security officers and information custodians, as applicable;
  4. responsibilities and liabilities in the event of information security incidents, such as loss of physical storage media or data;
  5. use of an agreed labeling system for sensitive or critical information, ensuring that the meaning of the labels is immediately understood and that the information is appropriately protected
  6. reliability and availability of the transfer service;
  7. the topic-specific policy or guidelines on acceptable use of information transfer facilities
  8. retention and disposal guidelines for all business records, including messages; NOTE Local legislation and regulations can exist regarding retention and disposal of business records.
  9. the consideration of any other relevant legal, statutory, regulatory and contractual requirements related to transfer of information (e.g. requirements for electronic signatures).

Electronic transfer

Rules, procedures and agreements should also consider the following items when using electronic communication facilities for information transfer:

  1. detection of and protection against malware that can be transmitted through the use of electronic communications
  2. protection of communicated sensitive electronic information that is in the form of an attachment;
  3. prevention against sending documents and messages in communications to the wrong address or number;
  4. obtaining approval prior to using external public services such as instant messaging, social networking, file sharing or cloud storage;
  5. stronger levels of authentication when transferring information via publicly accessible networks;
  6. restrictions associated with electronic communication facilities (e.g. preventing automatic forwarding of electronic mail to external mail addresses);
  7. advising personnel and other interested parties not to send short message service (SMS) or instant messages with critical information since these can be read in public places (and therefore by unauthorized persons) or stored in devices not adequately protected;
  8. advising personnel and other interested parties about the problems of using fax machines or services, namely:

1) unauthorized access to built-in message stores to retrieve messages;

2) deliberate or accidental programming of machines to send messages to specific numbers.

Physical storage media transfer

When transferring physical storage media (including paper), rules, procedures and agreements should also include:

  1. responsibilities for controlling and notifying transmission, dispatch and receipt;
  2. ensuring correct addressing and transportation of the message;
  3. packaging that protects the contents from any physical damage likely to arise during transit and in accordance with any manufacturers’ specifications, for example protecting against any environmental factors that can reduce the effectiveness of restoring storage media such as exposure to heat, moisture or electromagnetic fields; using minimum technical standards for packaging and transmission (e.g. the use of opaque envelopes);
  4. a list of authorized reliable couriers agreed by management;
  5. courier identification standards;
  6. depending on the classification level of the information in the storage media to be transported, use tamper evident or tamper-resistant controls (e.g. bags, containers);
  7. procedures to verify the identification of couriers;
  8. approved list of third parties providing transportation or courier services depending on the classification of the information;
  9. keeping logs for identifying the content of the storage media, the protection applied as well as recording the list of authorised recipients, the times of transfer to the transit custodians and receipt at the destination.

Verbal transfer

To protect verbal transfer of information, personnel and other interested parties should be reminded that they should:

  1. not have confidential verbal conversations in public places or over insecure communication channels since these can be overheard by unauthorized persons;
  2. not leave messages containing confidential information on answering machines or voice messages since these can be replayed by unauthorized persons, stored on communal systems or stored incorrectly as a result of misdialling;
  3. be screened to the appropriate level to listen to the conversation;
  4. ensure that appropriate room controls are implemented (e.g. sound-proofing, closed door);
  5. begin any sensitive conversations with a disclaimer so those present know the classification level and any handling requirements of what they are about to hear.

The control’s main objective to maintain the security of any information received or sent on the networks. In order to protect the transferees by using all types of communication facilities, official transfer policies, procedures and controls should be developed. So, any entity could not alter,detect or manipulate the originality of the information. The information transfer aspect includes the following controls:

  • Information transfer can happen using different communication channels (for example, e-mail, instant messaging tools, telephones, faxes, etc). For that purpose, companies should define the acceptable use of all these communication tools, what kind of information should be transferred, and how these communication channels will be protected. These policies and procedures should be communicated to the relevant personnel.
  • Agreements on information transfer – in some cases, when your company transfers sensitive information to third parties, formal agreements should be signed. These agreements can include elements such as rules for labelling the information, usage of cryptography, defining access controls, defining responsibilities for managing security incidents, etc.
  • Electronic messaging – meaning protection of the information involved in electronic messaging, by defining which public services are allowed to be used (for example, social networks, file sharing, etc.), using electronic signatures, etc.
  • Confidentiality and non-disclosure agreements – one way of protecting sensitive company data is by using legal means through confidentiality statements and non- disclosure agreements. These should be signed by both employees and external parties.
  • This section is significant because it covers the controls for communicating information inside and outside the organization, which is an essential activity of all organizations operating in today’s information age. Communications security is also critical because the confidentiality, availability, and integrity of the information might be endangered during transit.

Clear policies and procedures that govern the transfer of information between individuals both within and outside your organization should be established. Be sure to consider all possible methods of communication, including face-to-face, e-mail, voice, fax, and video, when drafting your policies. General policies about information transfer should include guidelines for acceptable use, and more specific procedures can be established to ensure secure transfer using approved methods. Make sure your users are aware of the limitations of each system (e.g., transferring information via fax machine is only a secure option if physical access to the machine on the other end is restricted). In addition to establishing policies, technical controls should be implemented, when feasible, to protect the confidentiality, integrity, and availability of the information being transferred. Most anti-virus and anti-malware solutions have tools that can scan e-mails in real-time, and encrypting important e-mails can be done for free (using PGP, for instance) or implemented enterprise-wide. These controls can provide the first line of defense against infection and/or compromise. It is still important, however, to discuss information transfer as a part of your organization’s information security awareness program. Educating your users about not communicating confidential information over insecure channels, state and organizational retention guidelines, and the dangers of e-mail auto-forwarding, among other topics, can go a long way toward ensuring that your systems and data remain secure. Formal transfer policies, procedures, and controls must be in place to protect the transfer of information through the use of all types of communication facilities. Whatever type of communication facility is in use, it is important to understand the security risks involved in relation to the confidentiality, integrity, and availability of the information and this will need to take into account the type, nature, amount, and sensitivity or classification of the information being transferred. It is especially important to implement such policies and procedures when information is being transferred out of or into the organization from third parties. Different but complementary controls may be required to protect information being transferred from interception, copying, modification, misrouting, and destruction and should be considered holistically when identifying which controls are to be selected.

Information may be transferred digitally or physically and agreements must address the secure transfer of business information between the organization and any external parties. Formal transfer policies procedures and technical controls should be selected, implemented, operated, monitored, audited, and reviewed to ensure ongoing effective security protection. Often, communications and transfer systems and procedures are put in place, without a real understanding of the risks involved which therefore creates vulnerabilities and possible compromise. ISO 27002 touches on implementation considerations including consideration of notifications, traceability, escrow, identification standards, the chain of custody, cryptography, access control, and others. If your organization has a business that needs to transfer information to a third party, then you should (and, in some cases, are legally required) enter into an official agreement with them in order to preserve the security of that information. These agreements generally set minimum standards for protecting your data, and may also establish the limits of liability for both parties in the event of a breach or other unauthorized disclosure of data. If the data being transferred is considered HIPAA-protected then the two parties must enter into a Business Associate Agreement (BAA). BAA’s are required to include clauses covering data security data disclosure, and data destruction, among others. Similarly, if the data is considered highly sensitive (e.g., social security numbers, bank account numbers), then your organization may require additional data security provisions, similar to those found in a BAA, for such a contract. Information transfer agreements may also include the following: agreed-upon cryptographic standards for encrypting data in transit and at rest, and chain of custody for physical transfer. For example, any agreement between your organization and a company that provides off-site backup storage for your critical systems and data should include clauses that cover minimum standards for the protection of your data in transit from one location to the other (e.g., are the tapes secured in a locked box? Who has the key?), and procedures for identifying and authorizing individuals from one organization or the other (since neither company can reasonably be expected to know all the other’s employees).

The organization must develop rules, procedures, and agreements, including a topic-specific information transfer policy, that provides data in transit with a level of protection appropriate to the classification assigned to that information.The level of protection should match the level of criticality and sensitivity of information transmitted.The organisations must sign transfer agreements with recipient third parties to guarantee secure transmission of data. It lists the elements that must be included in all rules, procedures, and agreements for all three types of transfers in general:

  • Organisations must define controls appropriate to the level of classification of the information to protect the information in transit from unauthorised access, modification, interception, copying, destruction, and denial-of-service attacks.
  • An organisation must keep control over the chain of custody while it is in transit and must define and implement controls to ensure traceability of information.
  • Relevant parties involved in the transfer of information should be defined and their contact details should be provided. This may include information owners and security officers.
  • Allocation of liabilities in case a data breach occurs.
  • Using a labeling system.
  • Ensuring the availability of the transfer service.
  • Creating topic-specific guidelines on the information transfer methods.
  • Guidelines for storage and deletion of all business records, including messages.
  • Analysis of the impact any applicable laws, regulations, or other obligations may have over the transfer.

Electronic messaging includes e-mail, peer-to-peer file transfer, social network-based communications (e.g., Twitter, Facebook chats, LinkedIn, Skype, etc.) and more. Your organization should consider introducing a policy that governs the authorized use of these mediums; at a minimum, such a policy should establish the authority to represent your organization in an official capacity on the Internet. Also, because your organization is unable to apply technical controls to third-party electronic messaging mediums – Twitter, Facebook, et. al. – there is no way for you to quantify or improve their level of security in order to effectively secure a confidential message travelling across one of these mediums. The solution to this problem is to clearly state in your policy that organization-related business is only to be communicated and/or conducted using approved, secured methods (e.g., e-mail). Any information that is involved in any form of electronic messaging needs to be appropriately protected. Put in simple terms, when using electronic messaging, it should be protected to ensure no unauthorized access can be gained The organization should create a policy which sets out which forms of electronic messaging should be used for the different types of information being transferred, e.g. depending on how secure they are. Considerations will also need to be made for voice & fax communications transfer, and physical transfer (e.g. via postal systems). This should align with access controls and other secure authentication policies and log-on procedures.Rules, agreements, and procedures should address the following issues when information is transferred electronically:

  • Detection and prevention of malware attacks.
  • Protecting sensitive information contained in the attachments transferred.
  • Ensuring that all communications are sent to the correct recipients and the risk of sending communications to wrong email addresses, addresses, or phone numbers is eliminated.
  • Obtaining prior authorization before starting to use any public communication services.
  • Implementing stricter authentication methods when data is transmitted via public networks.
  • Imposing restrictions on the use of e-communication services such as banning automatic forwarding.
  • Advise personnel on not using short message or instant message services to share sensitive data because this content may be seen by unauthorized individuals in public spaces.
  • Advising staff and other relevant parties on the security risks presented by fax machines such as the risk of unauthorized access or re-routing of messages to specific numbers.

When information is shared via physical means such as papers, the rules, procedures, and agreements should cover the following:

  • Assignment of responsibilities for notification of transmission, dispatch, and receipt.
  • Ensuring correct addressing and transportation of the message.
  • Packaging eliminates the risk of damage to the contents that may arise when the content is in transit. For instance, packaging should be good enough to not be affected by heat or moisture.
  • A list of reliable couriers agreed and authorised by the management.
  • Description of courier identification standards.
  • Use of tamper-resistant controls such as bags if the level of sensitivity and criticality of information demands it.
  • Procedures to verify IDs of couriers.
  • Approved list of third parties providing transportation or courier services depending on the level of classification.
  • Keeping log records of the time of delivery, list of authorised recipients, protections applied, and receipt at the destination.

When personnel exchange information within the organisation or when they transmit data to external parties, they should be informed of the following risks:

  • They should avoid having confidential conversations over insecure public channels or in public spaces.
  • They should not leave voice messages that contain confidential information considering the risk of replay by unauthorised persons and the risk of re-routing of the message to third parties.
  • Each individual, whether employees or other relevant third parties, should be screened before being allowed in to listen to conversations.
  • Rooms, where confidential conversations take place, should be equipped with appropriate controls such as sound-proofing.
  • They should give a disclaimer before having any sensitive conversation

Leave a Reply