A.5.14 ISO 27001

ISO 27001 A.5.14: Information transfer

What This Control Requires

Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.

In Plain Language

Information is at its most vulnerable when it is moving. Whether someone is emailing a spreadsheet, uploading files to a client portal, shipping a hard drive, or even discussing sensitive matters over the phone, the risk of interception, modification, or loss is real. This control ensures you have clear rules for how information gets transferred securely.

The rules need to account for the classification level of the information and the transfer method being used. Sending an internal memo is not the same as transferring customer financial data to a third-party auditor. Each scenario needs defined security requirements.

For external transfers, you also need formal agreements with the other party covering security requirements, responsibilities, and what happens if something goes wrong. Auditors will look for evidence that you are not just relying on people to "do the right thing" - you need documented procedures and technical controls backing them up.

How to Implement

Write an information transfer policy covering every method your organisation uses. For each method, define security requirements based on classification level.

For electronic transfers, set minimum encryption standards. Enforce TLS for email (opportunistic TLS is not enough for sensitive data), use SFTP or encrypted web portals for file transfers, and require TLS 1.2 or higher for API communications. Ban unencrypted methods for anything classified as confidential or above.

For physical media, define packaging and shipping requirements. Sensitive media needs tamper-evident packaging, tracked couriers, and verified delivery. Encrypt data on removable media before shipping and send the encryption key through a separate channel.

Set up formal information transfer agreements with external parties. Cover what information will be transferred, which methods are permitted, security requirements during and after transfer, who is responsible for protection, breach notification obligations, and data retention and disposal rules.

Enforce the policy with technical controls. Use email DLP to catch sensitive information going to unauthorised recipients. Configure file sharing platforms to require authentication and encryption. Block consumer file sharing services and personal email for business use. Provide approved secure alternatives so people are not tempted to work around the rules.

Log sensitive transfers, especially those involving external parties. Record the date, parties, transfer method, content description, and delivery confirmation. Review logs periodically to spot policy violations or unusual patterns.

Evidence Your Auditor Will Request

Documented information transfer policy covering all transfer methods and classification levels
Information transfer agreements with external parties
Technical controls enforcing transfer security such as encryption and DLP configurations
Logs of sensitive information transfers with confirmation of receipt
Records of approved secure transfer tools and channels

Common Mistakes

No formal policy governing information transfer methods and requirements
Sensitive information is transferred via unencrypted email or consumer file sharing services
External transfer agreements do not specify security requirements
No logging or tracking of sensitive information transfers
Personnel use personal email or unauthorized cloud services for business transfers

Related Controls Across Frameworks

Framework	Control ID	Relationship
SOC 2	CC6.7	Related
GDPR	Art.46	Related
GDPR	Art.32	Related
NIS2	Art.21(2)(d)	Related

Frequently Asked Questions

What encryption should we use for email transfers?

At a minimum, enforce TLS for all email - and make sure it is mandatory TLS, not opportunistic, for anything sensitive. For confidential or restricted information, use end-to-end encryption like S/MIME or PGP, or better yet, use a secure file sharing portal with email notifications instead. Most people find portals easier than managing encryption keys. Consider adding email DLP to catch sensitive data being sent without proper protection.

Do we need transfer agreements with every external party we share information with?

Not every single one, but you need them wherever it matters. Formal agreements are essential when sharing confidential or restricted information, when you have a regular transfer arrangement, or when regulations require it (GDPR data processing agreements being the obvious example). For occasional transfers of lower-sensitivity information, documented procedures and appropriate technical controls are usually sufficient.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment