ISO 27001 Controls: What is Annex A:13?

abstract art blur bright

Information Security – ISO 27001:2015 and its controls – like Annex A:13 -focus on securing information from unauthorized access, to ensure that your organisation remains protected while operating online. So, with ISO 27001 and its set of controls, what is annex A:13, and how does understanding this help you implement an information security management system?

Let’s find out.

Annex:13 is all about network security and guidance on how to protect the information stored into the network applications.

ISO 27001 provides list of controls, where one can analyse the threats and fill the gaps using the Checklist. One of these controls, Annex A:13 is what we’ll be talking about today, and what it looks like in the context of your organisation.

iso 27001 certification by best practice

Annex A:13 Communication Security

The main objective in this Annex is to ensure the protection of information in networking areas. It is important part of ISMS systems as the other controls are as equivalent.

If you are looking to achieve ISO 27001 certification, you must understand these controls too.

A:13.1 Network Security Management

To ensure the protection of information in networks and its supporting information processing facilities.

Annex A:13.1.1-Networks Controls:

In the era of technology, mostly all the business are running on networking systems. These systems are a great opportunity to catch the eyes of Malwares and ransomware. A:13 guides you to protect the Information security by managed and controlled procedures. Technical controls may include endpoint verification, firewall protection, physical, logical and virtual segregation. Any organisation who is working digitally must implement a procedure where the threats could be identified and eliminated by applying these A:13 controls.

Get Your Gap Analysis Checklist

close up photography of yellow green red and brown plastic cones on white lined surface
Annex A:13.1.2 – Security of Network Services:

To help the system,network security agreements must be implemented for Security mechanisms, service levels and managements requirements of all network services shall be identified. These services could be in-housed or outsourced by a supplier or contractor. A risk assessment plan should be prepared if there is any threat to the network systems.

Annex A:13.1.3- Segregation in Networks

Network segmentation involves partitioning a network into smaller networks; while network segregation involves developing and enforcing a ruleset for controlling the communications between specific hosts and services. Thus, the alignment group of information services, its users and other information systems shall be segregated on networks.

 Annex : A.13.2 Information Transfer

To maintain the security of information transferred within an organization and with any external entity.

Annex A.13.2.1 Information Transfer Policies and Procedures:

This control’s main objective to maintain the security of any information received or sent on the networks. In order to protect the transferees by using all types of communication facilities, official transfer policies, procedures and controls should be developed. So, any entity could not alter,detect or manipulate the originality of the informations.

Annex A.13.2.2  Agreements on Information Transfer

The management of the transmission, dispatch and control should be notified to the relevant parties. A mutual agreement to protect the information transmitted should be created. Agreements should address secure transfers between the organization and outside parties of business information.

Annex A:13.12.3 Electronic Messaging

There are various kinds of messages, such as e-mail systems, an exchange of electronic data, and social networking. Any electronic transmission method must provide a secure networking zone. Users Must ensure that the data transferred electronically must address the correct recipient. A formal approval, before using external public authorities, such as instant messaging, social networking or sharing of files can help in maintaining information security.

monochrome photography of people shaking hands

Annex: A.13.2.4  Confidentiality or Non-Disclosure Agreements

Any information sharing via any networking method must include a digital confidentiality agreement. For instance, A non-disclosure statement at the end of the emails. However, a formal agreement while sharing highly confidential information protects more than any other sources. It gives legal binding on the parties. But, the agreement must be signed prior to exchange of any information.

Want to know more Certification to ISO/IEC 27001 Information Security Management Systems? Get in touch with Best Practice Certification today.

Subscribe to our Newsletter


This field is for validation purposes and should be left unchanged.

Share This Post With Your Network

More To Discover