Let’s talk about Information transfer policies and procedures (ISO27001 Annex A Control 13.2.1)

ISO27001 Information transfer policies and procedures

Questions about how to address this control are usually raised by clients early on in discussions on how to implement ISO27001 requirements. “What is meant by transfer?” and “Do we really need complex procedures as that isn’t going to work with our culture” are typical.

The ISO27001 document gives the outline “Formal transfer policies, procedures…..protect the transfer of information…..all types of communication facilities”. Guidance comes from details in ISO27002. This helpfully refers to other parts of ISO27001 that should be considered. These include Clause 10 use of cryptography and 12.2.1 Controls against malware.

The starting point is to identify what is being transferred – electronically (email, cloud storage etc.) and physically (post, courier, verbally etc.). Once that is known, look at the risks from information being intercepted, copied, altered or destroyed while it is being transferred.

Policies, procedures and documents that can be used include:

  • Classification and handling
  • Acceptable Use, e.g. email use, talking in public places and use of public WiFi
  • Monitoring and logging
  • Malware detection
  • Supplier selection
  • Cryptography
  • Contracts

And never forget about training users in what to do and how they should report any incidents or weaknesses related to transfers.

Get in in touch for practical advice on how to implement ISO27001. We have a track record in helping micro-SMEs and SMEs get ISO27001 certification and implement a framework to keep it.

e: ian.grey@wadiff-consulting.co.uk
t: +44 (0)7941 188462