Part 32 - A13 Communications Security
This clause of Annex A of ISO 27001 captures two areas of information security, namely network security and information transfer. The way I see it, is that network security is internally focused and information transfer has an outward focus.
I’ll start with network security.
A.13.1 Network Security Management
The objective of this clause is to ensure the protection of information in networks and its supporting information processing facilities.
All businesses have multiple information networks. I suggest that you list all your networks and the controls you have in place to manage and secure them. Then list how they are segregated.
Here at Mango we created a master list of all our networks like servers, application, LANs, wifi etc. and determined how each was managed and controlled. The controls for segregation were also listed.
I suggest that you get expert help here to ensure that all your bases are covered.
Next up is how information is transferred.
A.13.2 Information Transfer
The objective here is to maintain the security of information transferred within your organisation and with any external entity.
Once again you need to list all the communication and information transfer activities in your organisation.
The standard here helps to ensure you have covered everything. This includes:
- Information transfer policies and procedures
- Agreements on information transfer
- Electronic messaging
- Confidentiality or nondisclosure agreements
- Created a master list of your networks like servers, application, LANs, wifi etc. and determined how each was managed and controlled.
- List how each is segregated
- List all the communication and information transfer activities.
View previous blogs in this series "ISO 27001 Information Security Management Standard":