Information Transfer Policies and Procedures
Ensure secure and controlled transfer of information within and outside the organisation.
Plain language
Imagine you're sending important business information. This control makes sure all details are safely transferred within your team or to outsiders, meaning no one unwanted reads or alters it. Without these safeguards, valuable info could be leaked or tampered with, causing trust and financial losses.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Organisational controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.
Why it matters
Without information transfer policies and agreements, data sent internally or to third parties may be intercepted, altered or misdirected, harming confidentiality and integrity.
Operational notes
Maintain transfer rules and agreements for each channel (email, file sharing, APIs, removable media), including encryption, approval, labelling, and logging; review with suppliers regularly.
Implementation tips
- The IT manager should create a clear policy on how information is transferred within and outside the organisation. This policy should spell out the different types of transfers—electronic, physical, or verbal—and the specific precautions to take for each, following ISO 27002:2022 guidelines.
- HR should train employees on the information transfer policy, making sure everyone understands what is expected. This training could include examples of secure and insecure methods of sharing information and the real-world consequences of data leaks.
- Management should ensure that contracts with third parties include clear terms for how information is shared and protected. This involves adding clauses that specify secure methods of information transfer and stipulate penalties for non-compliance, in line with Australian laws like the Privacy Act 1988.
- The IT team should set up technical controls to protect electronic transfers, such as using encryption and secure channels. This might involve consulting with cybersecurity experts to choose the right tools that align with the organisation's specific needs.
- Administration should label sensitive information clearly, so everyone understands the level of protection needed. Use a simple colour-coded system for files and documents, and ensure it's consistent across the organisation.
Audit / evidence tips
-
AskRequest to see the organisation's information transfer policy.
GoodA comprehensive document that adheres to ISO 27002:2022 and is accessible to all relevant parties.
-
AskInquire about training records for staff on information transfer procedures.
GoodRegular, documented training sessions with up-to-date materials that include examples and consequences.
-
AskObtain recent contracts with third-party vendors.
GoodContracts with clearly defined terms for information sharing, referencing industry standards and legal requirements.
-
AskRequest evidence of technical controls for securing electronic information transfer.
GoodLogs showcasing encryption use and adherence to secure transfer protocols, with regular updates.
-
AskInspect examples of labelled documents within the organisation.
GoodConsistent and clear labelling use across all sensitive documentation, visible and understandable to all relevant staff.
Cross-framework mappings
How Annex A 5.14 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (12) expand_less | ||
| ISM-0109 | ISM-0109 requires confirming all members’ nationalities before sending sensitive Australian data to email distribution lists, to prevent ... | |
| ISM-0490 | ISM-0490 requires organisations to prevent the use of S/MIME versions earlier than 3.0 for secure email connections | |
| ISM-0571 | ISM-0571 requires emails to be sent and received via an organisation's centralised email gateways using authenticated and encrypted channels | |
| ISM-0649 | ISM-0649 requires that files imported or exported via gateways or cross-domain solutions (CDSs) are filtered so only allowed file types c... | |
| ISM-0675 | ISM-0675 requires that data authorised for export from SECRET and TOP SECRET systems is digitally signed by a trustworthy source to prese... | |
| ISM-1178 | ISM-1178 requires that network documentation shared with third parties (including in public tenders) is limited to only what is necessary... | |
| ISM-1277 | ISM-1277 requires that data communicated between database servers and web servers is encrypted to protect it in transit | |
| ISM-1284 | ISM-1284 requires that files imported or exported via gateways or Cross Domain Solutions (CDSs) undergo content validation to prevent uns... | |
| ISM-1535 | ISM-1535 requires organisations to develop, implement, and maintain processes and procedures to prevent AUSTEO, AGAO, and REL data from b... | |
| ISM-1589 | ISM-1589 requires organisations to enable MTA-STS to prevent unencrypted SMTP transport between mail transfer agents | |
| ISM-1594 | ISM-1594 requires credentials to be delivered to users via a secure communications channel, or split into two parts with one part provide... | |
| ISM-2098 | ISM-2098 requires mobile devices to be configured so data cannot be transferred over USB connections | |
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-0661 | ISM-0661 requires users to be accountable for data transfers they perform to and from systems | |
| ISM-1574 | ISM-1574 requires contractual arrangements with service providers to document portable data storage arrangements that support backups, se... | |
| ISM-1779 | ISM-1779 requires quarantining data that fails security checks during manual export until it is reviewed and approved for release | |
| handshake Supports (15) expand_less | ||
| ISM-0072 | Annex A 5.14 requires organisations to define and apply rules/procedures/agreements for transferring information between the organisation... | |
| ISM-0240 | Annex A 5.14 requires organisations to establish rules and procedures that control how information is transferred, including selecting ap... | |
| ISM-0347 | Annex A 5.14 requires controlled information transfer rules and procedures for all transfer facilities, including manual transfers | |
| ISM-0467 | ISM-0467 requires HACE to be used to protect SECRET and TOP SECRET data communicated over insecure networks, public infrastructure, or ou... | |
| ISM-0481 | ISM-0481 requires the use of high assurance cryptographic protocols in cryptographic components to protect data in transit and related cr... | |
| ISM-0626 | ISM-0626 mandates the use of CDSs to manage cross-domain connectivity between SECRET or TOP SECRET networks and other domains | |
| ISM-0643 | ISM-0643 requires evaluated diodes to control data flow in unidirectional gateways between internal networks and public network infrastru... | |
| ISM-0660 | ISM-0660 requires organisations to fully verify data transfer logs for SECRET and TOP SECRET systems at least monthly to ensure authorise... | |
| ISM-0677 | ISM-0677 requires that files crossing system boundaries via gateways or CDSs have their digital signatures or cryptographic checksums val... | |
| ISM-0947 | ISM-0947 requires sanitising rewritable media after each manual transfer between different security domains to prevent information leakag... | |
| ISM-1192 | ISM-1192 requires gateways to inspect and filter data flows at the transport layer and above to enforce what is permitted to traverse net... | |
| ISM-1420 | ISM-1420 requires controlling the movement of production data so it is not placed into non-production unless the receiving environment is... | |
| ISM-1454 | ISM-1454 requires communications between authenticators and a RADIUS server to be protected by an additional encryption layer (RadSec/IPs... | |
| ISM-1765 | ISM-1765 requires the use of RSA with at least a 3072-bit modulus for signatures and key transport to maintain cryptographic strength | |
| ISM-1908 | ISM-1908 requires organisations to disclose vulnerabilities responsibly and in a timely manner, including publishing or sharing details w... | |
| link Related (1) expand_less | ||
| ISM-0663 | Annex A 5.14 requires rules, procedures, or agreements to govern secure information transfer internally and with external parties | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.