Inverifi logo

ISO 27001

Annex A.13 Controls - Communications Security

Get compliant with ISO 27001 – Annex A.13 and simplify compliance for your organisation.

Annex 13 is responsible for protecting information and information systems from unauthorised access or modification. It is an important part of the ISMS, which covers all areas where an organisation is at risk of security breaches, including interaction with third parties.

A.13.1 – Network security management responsibilities

Ensuring the safeguarding of information in networks and supporting information processing facilities.

A.13.1.1 Network controls

An organisation’s network and information processing facilities must be ensured to shield and protect their information from any intrusions and interceptions. To do this, there needs to be an in-depth understanding about the network’s requirements, dangers, and assets. Both internal and external threats should be considered when developing a security policy. 

A.13.1.2 Security of network services

The types of security structures, service levels and business requirements of all network services have to be identified and included when creating network service agreements. A risk assessment plan should also be developed in case of any threats to the network.

A.13.1.3 Segregation in networks

Making sure that there are separate systems in place for various types of users, information services, and information systems. This is to make sure that each service handles its own logistics. This can be achieved through different physical networks or via logical networks.  

A.13.2 – Information transfer control

Ensuring that data sent and received from outside and around the company is safe and secure.

A.13.2.1 Information transfer policies and procedures

Creating policies to keep data safe when it travels within the network. There should be procedures in place for prevention of intercepting or altering information by third parties. Encryption techniques are required to keep information confidential.

A.13.2.2 Agreements on information transfer

Any company agreements with external parties should explicitly state that any data exchanged must be kept confidential. This should be done to protect both physical and digital copies of information, and in accordance with the agreement’s specific categorisation standards.

A.13.2.3 Electronic messaging

Information transferred via electronic messaging must be protected from cyber threats and should fit the policy criteria respective of its content type. Encryption and other security techniques should be used. 

A.13.2.4 Confidentiality or non-disclosure agreements

A digital confidentiality agreement must be signed before any information can be exchanged via any network. This is critical for data protection as it legally binds the parties involved.