Part 32 - A13 Communications Security
This clause of Annex A of ISO 27001 captures two areas of information security, namely network security and information transfer. The way I see it, is that network security is internally focused and information transfer has an outward focus.
I’ll start with network security.
A.13.1 Network Security Management
The objective of this clause is to ensure the protection of information in networks and its supporting information processing facilities.
All businesses have multiple information networks. I suggest that you list all your networks and the controls you have in place to manage and secure them. Then list how they are segregated.
Here at Mango we created a master list of all our networks like servers, application, LANs, wifi etc. and determined how each was managed and controlled. The controls for segregation were also listed.
I suggest that you get expert help here to ensure that all your bases are covered.
Next up is how information is transferred.
A.13.2 Information Transfer
The objective here is to maintain the security of information transferred within your organisation and with any external entity.
Once again you need to list all the communication and information transfer activities in your organisation.
The standard here helps to ensure you have covered everything. This includes:
- Information transfer policies and procedures
- Agreements on information transfer
- Electronic messaging
- Confidentiality or nondisclosure agreements
Takeaways
- Created a master list of your networks like servers, application, LANs, wifi etc. and determined how each was managed and controlled.
- List how each is segregated
- List all the communication and information transfer activities.
View previous blogs in this series "ISO 27001 Information Security Management Standard":
Part 1 - Reasons why you need to meet this standard
Part 2 - Principle 1 - Analysing the Protection of Your Information and then Applying Controls
Part 3 - Principle 2 - Awareness of the Need for Information Security
Part 4 - Principle 3 - Assignment of Responsibility for Information Security
Part 5 - Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders
Part 6 - Principle 5 - Enhancing Societal Values
Part 9 - Principle 8 - Active prevention and detection of information security incidents
Part 10 - Principle 9 - Ensuring a comprehensive approach to information security management
Part 12 - ISO 27001 Information Security Management Standard: Clauses 0, 0.1, 0.2, 1, 2 and 3
Part 13 - ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4
Part 14 - ISO 27001 Information Security Management Standard: Clause 5.1
Part 15 - ISO 27001 Information Security Management Standard: Clause 5.2
Part 16 - ISO 27001 Information Security Management Standard: Clause 5.3
Part 17 - ISO 27001 Information Security Management Standard: Clause 6.1
Part 18 - ISO 27001 Information Security Management Standard: Clause 6.2
Part 19 - ISO 27001 Information Security Management Standard: Clauses 7.1 - 7.4
Part 20 - ISO 27001 Information Security Management Standard: Clause 7.5
Part 21 - ISO 27001 Information Security Management Standard: Clauses 8.1, 8.2, 8.3
Part 22 - ISO 27001 Information Security Management Standard: Clauses 9.1, 9.2, 9.3
Part 23 - ISO 27001 Information Security Management Standard: Clauses 10.1, 10.2
Part 24 - ISO 27001 Information Security Management Standard: Clause A5
Part 25 - ISO 27001 Information Security Management Standard: Clause A6
Part 26 - ISO 27001 Information Security Management Standard: Clause A7
Part 27 - ISO 27001 Information Security Management Standard: Clause A8
Part 28 - ISO 27001 Information Security Management Standard: Clause A9
Part 29 - ISO 27001 Information Security Management Standard: Clause A10
Part 30 - ISO 27001 Information Security Management Standard: Clause A11
Part 31 - ISO 27001 Information Security Management Standard: Clause A12
