While this annex clause of ISO27001 for Information security management systems (ISMS) is named Communication Security, think of it more as the security linked to how you move your information around both internally and externally of your organisation. The clause is split into two parts which really link to that internal & external thinking. A13.1 Network security management and A13.2 Information transfer. This is one of those clauses where you absolutely need to pull in your IT network specialists to get some help as the easiest way to meet the challenge soft Annex Clause 13 of your Information Security management system is to start making some lists!
A.13.1 Network security management
In this clause the objective is about ensuring you have the controls in place to ensure the protection of information in your networks (and by extension networks you use but don't own) and its supporting information processing facilities. The easiest way then to go about answering ISO27001 annex clause 13.1 is to start by making a list of all the networks you use, think servers, your hard-wired Local area network (LAN) your Wifi networks, networking applications and so on. Now you have that list it's time to look at the 3 sub clauses and work out the controls you need to put in place to meet the 3 requirements.
- A.13.1.1 Network controls – This says that "networks shall be managed and controlled to protect information in systems and applications." This is where your network administrator comes in to their own as they will have in place the various access controls, secure set ups, encryptions, what sits on what network, what network assets can link to others and so forth. For example, in a manufacturing company I used to work in we had the standard company network, we then had a separate network that all of our manufacturing equipment sat on and shared data with, the two were isolated and sharing data between them was very strictly controlled. You need to be able to demonstrate the controls are in place.
- A.13.1.2 Security of network services – Here the requirement is asking you to ensure "Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced." In other works, who has access to what part of your system and when they do have access, what can they do in there? This is also not limited to your internal staff, it's also including any external IT contractors that you use to manage your system or would have possible access to your information should they gain access.
- A.13.1.3 Segregation in networks – This final step is actually easier to do at the same time as you carry out the controls for A.13.1.1. It's asking about controls around how the various "Groups of information services, users and information systems shall be segregated on networks." In other works, you mapped your networks out in A.13.1, not look at how you will split and control what goes on to what network, and who has access rights to work on each.
A.13.2 Information Transfer
As the name suggests, this clause of ISO27001 for Information Security Management is about how you move your information around both inside and outside your organisation, specifically how do you maintain the security of that information as it moves around. Again, you're going to need to support of your IT experts in this section of the Annex clause for your ISO27001 system. There are four areas that you need to think about controls for:
- A.13.2.1 Information transfer policies and procedures – this is about creating the formal policies and procedures and by definition controls you need to have in place that will ensure you have the right level of protection in place for your information. It may cover the category of information people have access to, the levels and authority for sharing it and in the format the information could be shared. I think it's actually easier to write these after you have completed the next 3 subclauses of the Annex 13 of the ISMS and reviewed those in conjunction with A.13.1.
- A13.2.2 Agreements on information transfer - here the ISO27001 standard requires that you set up agreements between you and any external partners that you are transferring information to address the secure transfer of that information between you both (i.e., both ways). By extension it's also wise to cover what the external company can do and how it will manage that information when they get it. Think about it in terms of the method of transfer, if is FTP, HTTPS, email, flash drive, it actually doesn't matter how you move the data across what steps will you both put in place to ensure that the data is only available for the intended recipient?
- A.13.2.3 Electronic Messaging – The days of simple email or text messaging is gone, now you can transfer anything with your phone, FTP, Snapchat, Whatsapp and a multitude of other electronic ways of messaging. This clause isn't about your email it's about any form of electronic data messaging and it requires you to ensure that the information is appropriately protected when transferred. What is appropriate protection? That's up to you and your analysis of the importance and sensitivity of the data, it may just be password protected, it maybe be specially encrypted with a cypher that only Dan Brown's Robert Langdon from Da-Vinci Code fame could crack.
- A13.2.4 Confidentiality or non-disclosure agreements – The ubiquitous NDA is alive and well and something you need to think about with your list of tools for your information security management system. The control requirement is that your NDA's accurately reflect your need to protect the information and that you state this out clearly. It also needs you to review these documents on a regular basis, which makes sense as your level of security and the information you have will change over time. The final step is of course documenting the NDA and its requirements. Like everything we do when looking at management systems our advice here is keep it simple and as far as practicable in plain English, don't allow yourself to get caught up in convoluted legal jargon as this tends to be where loopholes get introduced, but do consult a legal expert!
You can understand from looking at the requirements of the ISO27001 Annex Clause A13 why we strongly suggest you start by making a list of your systems. It's also important to think about the order of doing things, just because the standard is written in a specific way does not mean you need to work through it in that same way. Out of all the requirements of Annex Clause A13, we recommend the very last thing you do it A.13.2.1 which is writing your policies and procedures, we say this because it's only when you have walked through everything else that you can really understand what you need to have procedures and controls for.