Information Transfer - ISO 27001 Annex A Control

ISO 27001 Annex A 5.14

Information leaving the organisation needs the protection that goes with it.

ISO 27001 Annex A 5.14 - Information Transfer

Information transfer is the moment information moves between systems, networks, locations or organisations. Each transfer is a moment where information can be intercepted, lost or sent to the wrong place. The control is about having defined rules so that transfers happen through approved channels with appropriate protection.

Internal transfers cover information moving between systems within the organisation - between cloud services, between offices, between departments. Even within the organisation the rules need to be clear: which channels are approved for which classification, what kind of authentication is required, and what audit trail is kept.

External transfers add the layer of protecting information once it leaves the organisation's direct control. That typically means encryption in transit and at rest, secure file transfer rather than email for higher-classification material, and a documented agreement with the recipient setting out their handling responsibilities.

For us the rule is simple. Anything Confidential goes through the secure file transfer service, not email. Anything with personal data goes the same way unless the recipient has set up the proper exchange route. Email attachments are fine for general business material but not for anything sensitive. Staff get this through induction and refresher training.

Practical Compliance Guidance

Information transfer arrangements are described in the IMS1 manual at section 8.5 alongside the topic-specific Information Transfer Policy and the Communications Policy.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the Information Transfer Policy and Communications Policy, which set out the rules for internal and external transfers and the approved channels for each classification.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Can we use email for transferring confidential information?

Standard email is not secure enough for confidential information. Most organisations restrict confidential transfers to encrypted file transfer services, secure portals or encrypted email with verified recipient identity. The exact tools depend on what is approved in the information transfer policy.

Do we need a separate transfer agreement with each external party?

For routine commercial relationships the supplier security clauses in the underlying contract usually cover transfer expectations. For higher-risk transfers - regular exchange of personal data, sensitive commercial information, or anything where the recipient becomes a processor under data protection law - a specific data transfer or processing agreement is appropriate.

What about international transfers?

Where personal data is transferred internationally, UK GDPR adds requirements on top of the information security control. Adequacy decisions, standard contractual clauses or other transfer mechanisms may be needed. The legal register and data protection arrangements should cover this where it is in scope.

Further Resources