ISO 27001 Annex: A.13.2 Information Transfer
-
- 24 June 2021
Its purpose is to maintain the security of information transferred to or within an organization as well as to external entities.
A.13.2.1 Information Transfer Policies and Procedures
Control
There should be control practices, procedures, and policies to ensure that transferees are protected while using communication procedures.
Implementation guidance
These items need to be addressed in procedures and controls for the use of communications services:
1. Methods for preventing interceptions, unauthorized copies, modifications, misrouting, or erasures of transmitted information;
2. Procedures for detecting and protecting malware from electronic communications;
3. Procedures to protect data in the form of attachments transferred over the Internet;
4. Specific guidelines or rules governing the appropriate use of communication facilities (Section 8.1.3);
5. To refrain from compromising the rights of another party, for example by defaming, harassing, impersonating, communicating chain letters, or purchasing illegally.;
6. Using an encryption program to safeguard confidentiality, integrity, and authenticity of your information (refer to Clause 10);
7. Keeping and disposing of all business correspondence following the local and national laws and regulations;
8. Any controls and limits related to the use of communication facilities, for example, electronic mail is automatically forwarded to an external address;
9. Remind employees not to disclose personal information and encourage them to take necessary precautions;
10. Answering machine messages that contain sensitive information should be avoided because they can be replayed or wrongly stored by unauthorised individuals who dialled in at the wrong time;
11. Providing advice on issues related to the use of fax machines and services, including:
– Message retrieval without authorization from built-in message stores;
– An intentional or unintended computer program that transmits information to specific numbers;
– Send documents or messages to the wrong number by misdialing or using the wrong stored number
Employees should avoid discussing confidential material in public or using unreliable communication networks, open offices, or public meeting places.
Legal requirements must be met by the services of information transfer.
Other Information
The transfer of information can be accomplished through many different types of communication, such as email, voice, fax, and video.
There are several methods for transferring software, including Internet downloads and off-shell purchases made by suppliers.
Businesses, governments, and security organizations need to take into account the commercial, legal, and security implications of electronic data transfer, eCommerce, electronic communication, and security.
A.13.2.2 Agreements on Information Transfer
Control
All agreements should address the secure transfer of business information between the organization and external parties.
Implementation Guidance
The information transfer agreements will include the following:
1. Coordination of communications and control of receipts and dispatches;
2. Assurance of traceability and non-repudiation of actions;
3. Minimum technical standards for packaging and transmission;
4. Agreements regarding escrow;
5. Identification standards for couriers;
4. Identify responsibilities and liabilities in case of a data security incident, including data loss;
2. Ensure that label information is understood and that sensitivity and criticality concepts are protected according to the agreed labelling system
8. Software and information standards for reproducing and reading information;
9. To protect sensitive things, like cryptography, special controls are needed;
10. Maintaining a custody chain for information;
11. Access control at appropriate levels
Policies, protocols, and guidelines should be developed, followed, and referred to secure data and physical resources during transit (see 8.3.3).
In any agreement protecting confidential information, the content should reflect the sensitivity of that information.
Other Information
Agreements can be automatic or formal, and contracts may be written or electronic. The types of agreements and organizations that handle confidential information must be in agreement with the specific mechanisms for transferring such data.
Related Questions
1. What is the best way to write an information transfer?
2. What are the controls in ISO 27001 Annex: A.13.2 Information Transfer?
3. In writing skills, what does information transfer mean?
4. What are the different forms of information transfer?
5. What does verbal to nonverbal mean?
6. Explain ISO 27001 Annex: A.13.2 Information Transfer
