ISO 27001 - Annex A.13 - communications security

What is Annex A.13?

Annex A.13 communications security is a broad subject that includes hardware, software, procedures and personnel which safeguard the transfer of information in storage, over transmission lines and via radio waves.

Hardware, software, procedures and personnel include components such as:

• Hardware
  The physical components of a system (e.g., computers, printers and fax machines) that house equipment or components that process data into information.
• Software
  Programs or operating systems used to operate these devices; examples include word processing applications like Microsoft Word or graphic design programs such as Adobe Illustrator.
• Procedures
  Rules established by an organisation to provide guidelines for its employees about how work should be performed within an organisational context. Examples include password protection policies to protect sensitive data files from unauthorised access or encryption algorithms used during transmission of confidential documents across unsecure networks.
• Personnel
  Human resources working within organisations whose actions affect its overall security policy. Examples include employees who may unintentionally leak sensitive information about their employer through social media posts containing exclusive information about their company's clients' financial transactions.

It's recommended that Annex A.13 is used in conjunction with other security measures and guidance, such as the Annex A controls along with the ISMS. 

What is communications security?

Communications security is a part of information security, which in turn is a component of IT security. Information security refers to the set of policies and processes designed to ensure that data remains secure throughout its lifecycle.

Protecting networks, computers, as well as smartphones against cyber threats is the focus of data privacy. Therefore, when a system accomplishes its goals without causing any complications for its users, it is considered effective.

Annex A.13 also applies to any third-party suppliers and customers that interact with the organisation's IT systems. This includes websites, e-Mail, data storage and processing facilities.

Why is communications security important?

In a business context communications security helps prevent risk of the following types of damages:

• Financial loss: The risk of unauthorised disclosure, modification, destruction or misuse of information would result in tangible loss such as theft or fraud.
• Damage to reputation: The risk of harm to your company's image, brand and/or customer loyalty due to non-compliance with security regulations and/or poor management practices. This can lead to loss of customers and contracts as well as a decrease in revenue and profits.
• Loss of public trust: The risk of sensitive information being disclosed inappropriately due to insufficient security controls.

What are the Annex A.13 controls?

A.13.1 Network Security Management

Protecting data in networks and the information processing facilities that enable them is the objective of this Annex. Two of the most important things to focus on in this section are the management of network security and the maintenance of data integrity and availability.

A.13.1.1 Network controls

A company's network must safeguard itself against intrusions, interceptions, and other forms of data manipulation techniques. In order to protect your firm from external threats, you will need to have an in-depth understanding about your network's requirements, dangers, and assets. When developing a security policy, you should consider both internal and external threats.

Controls relevant to the situation include, but are not limited to:

• Firewalls and preventive systems
• Lists of access controls 
• Connection controls
• End point verifications
• The separation of networks

A.13.1.2 Security of network services

Establishing security measures to safeguard data sent across a network should be completed according to the results of the risk assessment. Security standards, business requirements, and possible risks should all be considered when drafting network service agreements.

A.13.1.3 Segregation in networks

There should be separate systems in place for various sorts of users and information networks. Sections for public, departmental, critical and management access should all be maintained separately. Instead of depending on one another, it is safer to have each service handle its own procedures.

A.13.2 Information transfer control

This ensures the safety of any data sent to and received from within and outside the company.

A.13.2.1 Information transfer policies and procedures

You'll need policies to keep data safe as it travels across your network. A variety of standards should be supported, and policies and procedures for the transfer of these risks must be in place.

A.13.2.2 Agreements on information transfer

Your company's agreements with outside representatives should explicitly state that any data transmitted or received must be kept secret and intact. Protecting both physical and digital copies of information should be done in accordance with the agreement's specific categorisation standards.

A.13.2.3 Electronic messaging

Digital messaging systems must be safeguarded from cyber threats and connected to policy criteria about suitable e-messaging for different types of content. Identity theft and fraud may occur if sensitive financial information is sent over electronic communication channels without appropriate security safeguards in place. In this, encryption, masked communication, and monitoring must all be incorporated.

A.13.2.4 Confidentiality or non-disclosure agreements

Non-disclosure agreements are critical when it comes to protecting data. 

Generally, nondisclosure agreements may be divided into the following groups:

• Unilateral
• Bilateral/ Multilateral

Conclusion

It is important to remember that the communications security depends on several factors, including the type of equipment you use and how you send messages. If in doubt, always follow best practice guidelines provided by your organisation. Annex A.13 is critical to your organisation's implementation of ISO 27001 since it demonstrates good security practices and gives you a competitive advantage.

DataGuard helps organisations implement ISO 27001 for the external audit. Interested in taking Information Security to the next level? Book an appointment and get in touch with our experts today.