Information Security – ISO 27001:2015 and its controls – like Annex A:13 -focus on securing information from unauthorized access, to ensure that your organisation remains protected while operating online. So, with ISO 27001 and its set of controls, what is annex A:13, and how does understanding this help you implement an information security management system?
Let’s find out.
Annex:13 is all about network security and guidance on how to protect the information stored into the network applications.
ISO 27001 provides list of controls, where one can analyse the threats and fill the gaps using the Checklist. One of these controls, Annex A:13 is what we’ll be talking about today, and what it looks like in the context of your organisation.
Annex A:13 Communication Security
The main objective in this Annex is to ensure the protection of information in networking areas. It is important part of ISMS systems as the other controls are as equivalent.
If you are looking to achieve ISO 27001 certification, you must understand these controls too.
A:13.1 Network Security Management
To ensure the protection of information in networks and its supporting information processing facilities.
Annex A:13.1.1-Networks Controls:
In the era of technology, mostly all the business are running on networking systems. These systems are a great opportunity to catch the eyes of Malwares and ransomware. A:13 guides you to protect the Information security by managed and controlled procedures. Technical controls may include endpoint verification, firewall protection, physical, logical and virtual segregation. Any organisation who is working digitally must implement a procedure where the threats could be identified and eliminated by applying these A:13 controls.
Annex A:13.1.2 – Security of Network Services:
To help the system,network security agreements must be implemented for Security mechanisms, service levels and managements requirements of all network services shall be identified. These services could be in-housed or outsourced by a supplier or contractor. A risk assessment plan should be prepared if there is any threat to the network systems.
Annex A:13.1.3- Segregation in Networks
Network segmentation involves partitioning a network into smaller networks; while network segregation involves developing and enforcing a ruleset for controlling the communications between specific hosts and services. Thus, the alignment group of information services, its users and other information systems shall be segregated on networks.
Annex : A.13.2 Information Transfer
To maintain the security of information transferred within an organization and with any external entity.
Annex A.13.2.1 Information Transfer Policies and Procedures:
This control’s main objective to maintain the security of any information received or sent on the networks. In order to protect the transferees by using all types of communication facilities, official transfer policies, procedures and controls should be developed. So, any entity could not alter,detect or manipulate the originality of the informations.
Annex A.13.2.2 Agreements on Information Transfer
The management of the transmission, dispatch and control should be notified to the relevant parties. A mutual agreement to protect the information transmitted should be created. Agreements should address secure transfers between the organization and outside parties of business information.
Annex A:13.12.3 Electronic Messaging
There are various kinds of messages, such as e-mail systems, an exchange of electronic data, and social networking. Any electronic transmission method must provide a secure networking zone. Users Must ensure that the data transferred electronically must address the correct recipient. A formal approval, before using external public authorities, such as instant messaging, social networking or sharing of files can help in maintaining information security.
Annex: A.13.2.4 Confidentiality or Non-Disclosure Agreements
Any information sharing via any networking method must include a digital confidentiality agreement. For instance, A non-disclosure statement at the end of the emails. However, a formal agreement while sharing highly confidential information protects more than any other sources. It gives legal binding on the parties. But, the agreement must be signed prior to exchange of any information.
Want to know more Certification to ISO/IEC 27001 Information Security Management Systems? Click here for more information.