Develop and Maintain Data Transfer Procedures
Ensure data transfers are securely conducted with proper procedures in place.
Plain language
This control is about making sure that when you move data from one place to another, it's done safely and securely. If the process isn't secure, sensitive data could be exposed to wrong parties, leading to privacy breaches, financial loss, or damage to your business's reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for data transfersSection
Data transfersOfficial control statement
Data transfer processes, and supporting data transfer procedures, are developed, implemented and maintained.
Why it matters
Insecure data transfers can leak sensitive information in transit, leading to privacy breaches, legal penalties and reputational harm.
Operational notes
Maintain documented transfer procedures (methods, encryption, approvals and recipients) and review them regularly to address new threats and changes.
Implementation tips
- IT manager should develop a written plan for data transfers, outlining the specific steps required and tools to use. This plan should detail how to securely send information, such as using encryption and secure connections.
- Office manager should train staff on the new data transfer procedures. Organise a session where you explain why secure data transfer is important and demonstrate how to follow the procedures correctly.
- HR should include data transfer requirements in employee contracts and policies. Make sure all employees sign off on understanding these procedures as part of their onboarding process.
- IT team should regularly update software used for data transfers to ensure security. This includes installing updates or patches for any tools or platforms used in the process, as outdated systems can be vulnerable to attacks.
- Business owner should review the data transfer procedures annually. You could set a calendar reminder to check if the processes are still effective and make improvements based on any incidents or technological changes.
Audit / evidence tips
-
Askthe documented data transfer procedure manual: Request to see the written guidelines that describe the data transfer process
Goodincludes a well-organised document that specifies tools, encryption standards, and roles
-
Asktraining records: Request documentation showing when and how employees were trained on data transfer procedures
Goodis a comprehensive list showing regular training sessions attended by all staff
-
Askrecords showing that data transfers were checked for compliance with the procedures
Goodis an audit log showing timely reviews and documented responses to any issues found
-
AskIT maintenance logs: These should detail updates and patches applied to software used for data transfers
Goodis a log showing regular updates in line with the latest security recommendations
-
Aska policy review schedule: Request the timeline or calendar for reviewing and updating data transfer procedures
Goodincludes a clear schedule with past and future review dates
Cross-framework mappings
How ISM-0663 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| link Related (1) expand_less | ||
| Annex A 5.14 | Annex A 5.14 requires rules, procedures, or agreements to govern secure information transfer internally and with external parties | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.