As we’ve already seen several times, ISO27001 controls are rarely isolated.
Following A5.12 Classification of information, A5.13 Labelling of information, ISO27001 requires us to carefully plan and control how information will be transferred.
What does the standard require?
The standard states that “Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organisation and between the organisation and other parties..” (A5.14 Information Transfer)
Why is this required?
In order to maintain the security of information transferred internally and externally, your organisation needs to consider the controls that would be required. Information ‘in transit’ is the term referred to when we think of information moving between individuals and organisations, and it’s at this time when information is at greatest risk of loss or compromise.
Dependent upon the classification you have assigned to the Information, you need to put in place appropriate controls to protect it from unintentional disclosure, interception, copying, misrouting, destruction or modification.
What the auditor is looking for
Notice that this control says that information rules, procedures or agreements shall be in place. Therefore the auditor will specifically be looking for;
A Topic Specific Policy related to Information Transfer.
Procedures related to how information will transferred.
Supplier contracts and agreements that specify how information will be transferred.
It’s important to remember that information can come in various mediums, and therefore we need to think about electronic, physical and verbal information transfer.
Your policy, procedures and agreements should cover off all of these aspects of information, so be sure to check that you can reference documents or examples where these areas are covered.
The Information Transfer Policy
When developing your policy, remember to keep it simple, but think about the three aspects to information; Physical, electronic and verbal. Consider what you want people to think about when sending information electronically, or in physical form, and what you expect of them when talking about anything which may have an impact on data subjects or your business.
Remember that your information classification scheme which you defined in A5.12 should outline how information will be controlled, and this includes how it will be transferred. For example, you might define customer reports as ‘Confidential’ and any records which are deemed to be confidential (under your classification) shall be transferred using ‘recorded delivery’ for physical records, or encrypted if electronic.
Within your policy you should also set out your expectations on behaviour in relation to verbal communication too. For example, you might state that conversations relating to matters deemed to be classified as confidential should only take place in a secure location, and that locations deemed to be public, should not be used to conduct meetings, take calls or discuss these topics.
Procedures
Procedures are, of course, more detailed and provide clear steps that should be taken in relation to the topic of information transfer. For example. you may have a procedure that relates to the transfer of electronic documentation, whereby you outline how data will be encrypted, or digitally signed. You might outline how to attach a ‘delivery receipt’, or ‘read receipt’’ to ensure that it is delivered to, and read by the correct individual.
Your procedures may also include how you deal with the transfer of physical information, such as archive boxes, or post. Again, here you might outline the procedure or logging such information transfers, and how (or where) to obtain recorded delivery. You might also provide the procedures for selecting appropriate couriers for the transfer of records.
Agreements
Dependent upon the relationship and service provided, your supplier agreements should detail how information will be shared with the service provider. This may include providing them direct access into your systems, and stating that information shall not be transferred out of your internal systems and networks, or it could place additional requirements on the supplier in terms of their access.
Q & A
Do I need a written policy?
In a word, yes. In order of evidence, for the auditor, you most certainly will need a topic-specific policy related to information transfer, and there may be procedures and agreements that support the policy. Consider which is most relevant to you and document appropriately.
Like all policies, it sets out your expectations and intentions related to a specific topic. Information rarely sits still for long! It moves throughout your business, and often outside too. Having a good understanding of how it should be transferred (i.e. used) ensures you can be confident it is protected.
Is it possible to get this wrong?
Only by ignoring this control can you really get it wrong. No matter if you are sharing information externally, you are still transferring it, from one person to another. Information does not sit in a virtual ‘bubble’. It moves, it is copied, it is altered. Think about how information ‘flows’ through your organisation, and consider the risks to it as it moves from one place, department or person, to another.
Difficulty rating
We rate this a 1 out of 5 difficulty rating. This means that it requires little if any technical skill to understand the requirement. You need to speak to your business and ask them what information they have, who it is shared with (internally and externally), and how. Then consider the risks associated to this transfer process. Your policies, procedures and agreements will be based on the output of these conversations.
More questions?
Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused by how to implement an RBAC process or identify the key roles in your organisation, just get in touch and we’ll be happy to help.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon.