Every time your organization sends a file, shares a document, or discusses sensitive details over a call, information is exposed to interception, leakage, or modification. Most security programs focus on protecting data at rest and overlook the moment it moves — the exact window attackers exploit. ISO 27001 control 5.14 exists to close that gap by requiring formal rules, agreements, and technical safeguards for every channel used to transfer information.
What 5.14 Requires
ISO/IEC 27001:2022 Annex A 5.14 requires organizations to establish, document, and enforce rules and procedures that protect information during transfer. The control applies to every method your organization uses to move data: electronic channels like email, SFTP, cloud sharing, and APIs; physical media including USB drives, printed documents, and backup tapes; and verbal exchanges during calls, meetings, and conferences.
Protection must be proportionate to how the information is classified under your scheme (defined in control 5.12). A public newsletter and a confidential client list should not travel through the same channel with the same safeguards. The control demands that you protect both the integrity and confidentiality of data in transit — core principles of data security — whether the exchange happens internally between departments or externally with vendors, partners, and regulators.
In practice, 5.14 means you need a documented transfer policy, approved methods mapped to classification levels, technical enforcement mechanisms, and formal agreements with any external party receiving your data. Organizations pursuing ISO 27001 compliance should implement this control early, since it intersects with nearly every other data handling requirement in the standard.
Why 5.14 Matters
In a common pattern, an employee sends a spreadsheet of customer records via personal email to meet a deadline. No encryption, no access controls, no audit trail. The file sits in a consumer inbox indefinitely, accessible to anyone who compromises that account. This is not a sophisticated attack — it is a routine operational failure that 5.14 is designed to prevent.
Information is most vulnerable when it moves. Data in transit crosses network boundaries, passes through third-party infrastructure, and often leaves the protective controls your organization spent months building. Effective vendor risk management depends on visibility into how your data travels once it leaves your perimeter — and most organizations have significant blind spots here.
Attackers know this. Man-in-the-middle interception, credential harvesting from unencrypted channels, and exploitation of misconfigured file-sharing links are standard tactics, not edge cases. The ENISA data protection guidance emphasizes that organizations consistently underestimate the risk surface created by routine information transfers, particularly when those transfers involve third-party systems outside their direct control.
The regulatory consequences compound the security risk. GDPR Article 32 explicitly requires appropriate measures for data in transit, and organizations need robust GDPR compliance strategies that address transfer controls specifically. Industry-specific mandates — PCI DSS for payment data, HIPAA for health information — impose additional transfer requirements. A single uncontrolled transfer can trigger breach notification obligations, regulatory investigations, and penalties that dwarf the cost of implementing proper controls. Verizon found that 30% of confirmed breaches in 2025 involved data moving across multiple environments — reinforcing that transfer boundaries are where defenses most often fail.
What Attackers Exploit
The failure modes 5.14 addresses are specific and predictable:
- Unencrypted email attachments containing classified data, readable by any system the message traverses
- Public file-sharing links with no expiration or access controls, discoverable through URL enumeration
- Unsecured APIs transmitting sensitive data without TLS enforcement, exposing payloads to interception
- Physical media shipped without chain-of-custody tracking, creating gaps where drives or tapes go unaccounted
- Verbal disclosure of credentials or sensitive data in public spaces, overheard by unintended parties
- Missing or unenforced transfer agreements with third parties, leaving no contractual obligation to protect your data
- Shadow IT channels like personal messaging apps and consumer cloud storage that bypass every control you have built
How to Implement 5.14
Implementation splits into two domains: what you control directly inside your organization, and what you must verify and enforce across your vendor ecosystem. Both require documented procedures, but the evidence you produce and the verification methods differ.
For Your Organization (First-Party)
Start with your classification scheme. If control 5.12 is not yet implemented or your classification levels are vague, your transfer rules will be arbitrary. Every implementation step below depends on knowing what sensitivity level you are protecting.
- Establish an information transfer policy that explicitly references your classification scheme and defines approved transfer methods for each level. Confidential data might require encrypted email or SFTP only, while internal data may permit standard corporate email with TLS. The policy should also specify who can authorize transfers of highly classified information and what approvals are required before sharing data with external parties.
- Map approved methods to classification levels in a transfer methods matrix. This becomes both your operational reference and a key audit artifact.
- Implement technical enforcement rather than relying on user compliance alone. TLS enforcement on email gateways, endpoint encryption for removable media, DLP rules that block classified data from unauthorized channels, and malware scanning on all attachments. Where possible, configure systems to prevent transfers that violate policy rather than simply alerting after the fact — a DLP rule that blocks a confidential file from reaching a personal email address is far more effective than a report that surfaces the violation days later.
- Build traceability and non-repudiation into every sensitive transfer. Audit logs, delivery receipts, digital signatures, and chain-of-custody records for physical media.
- Address all three transfer types explicitly. Electronic controls are the most mature in most organizations, but physical media and verbal transfers are where gaps persist. Define courier procedures, require tamper-evident packaging, and establish rules for discussing classified information in meetings. For verbal transfers, consider whether sensitive discussions should be restricted to specific rooms or communication platforms, and whether participants need to be reminded of classification levels before meetings begin.
- Train staff on approved methods and make prohibited channels explicit. Telling people “use secure methods” is not training — showing them exactly which tool to use for which classification level is. Include realistic scenarios in your training: what should an employee do when a client asks them to send files via a consumer file-sharing service? What is the correct response when a colleague suggests discussing classified project details over a personal phone call?
- Review and update transfer rules at least annually or whenever your classification scheme, tooling, or threat landscape changes. New collaboration tools, cloud migrations, and remote work arrangements all introduce transfer channels that your original policy may not address. Treat each change as a trigger to revisit your approved methods matrix.
Common mistakes to avoid:
- Focusing exclusively on electronic transfers while ignoring physical and verbal channels
- Writing a transfer policy disconnected from your classification scheme
- Allowing exception channels like personal WhatsApp or consumer Dropbox without compensating controls
- No logging or traceability for sensitive transfers
- Treating all data identically regardless of classification level
For Your Vendors (Third-Party Assessment)
Your transfer security is only as strong as the weakest external party receiving your data. Meeting the third-party risk requirements of ISO 27001 means assessing vendor transfer controls with specific questions, verifiable evidence, and clear red flags.
Questions to ask:
- “Describe your information transfer policies and the classification levels they address.”
- “What encryption standards do you enforce for data in transit?”
- “How do you handle physical media transfers, including chain-of-custody procedures?”
Evidence to request:
- Documented transfer policy with classification-based rules
- TLS configuration reports from email gateways and file transfer systems
- DLP policy documentation and exception logs
- Courier agreements and physical media handling procedures
- Incident response records for any transfer-related security events in the past 12 months
The depth of evidence you require should match the sensitivity of the data you share with that vendor. A marketing analytics provider receiving aggregated, anonymized data warrants a lighter review than a payroll processor handling employee financial records. Scale your assessment rigor to the risk.
Go beyond self-attestation. Request penetration test results that specifically cover data-in-transit controls. Review their SOC 2 Type II report for criteria relevant to transmission security (CC6.7). A structured vendor risk management program ensures these checks happen systematically rather than ad hoc. If a vendor provides a generic security questionnaire response with no specifics about transfer methods, that is information in itself. Ensuring data protection for third parties requires continuous verification, not one-time assessments.
Red flags:
- Vendor cannot produce a documented transfer policy
- No encryption for data in transit, or TLS below version 1.2
- No chain-of-custody process for physical media
- Transfer agreements are generic templates with no specifics about your data
- No incident response process for transfer-related breaches
Audit Evidence for 5.14
Auditors assess 5.14 by verifying that your transfer controls exist in policy, operate in practice, and produce evidence of both. The most common audit finding is a well-written policy with no operational evidence to back it up — your transfer methods matrix says “SFTP only for confidential data,” but there are no logs showing SFTP was actually used or that alternatives were blocked.
Ongoing compliance monitoring helps you maintain audit readiness rather than scrambling before assessments. Build evidence collection into your daily operations so that when the auditor asks for proof, you can pull it from existing systems rather than reconstructing it after the fact. Prepare the following artifacts before your audit:
| Evidence Type | Example Artifact |
|---|---|
| Information Transfer Policy | Documented policy defining approved methods, classification-based rules, and annual review cadence |
| Approved Transfer Methods Matrix | Table mapping each classification level to permitted channels and required safeguards |
| TLS/Encryption Configuration Reports | Screenshots or exports from email gateways and file transfer systems showing enforced encryption |
| DLP Policy and Exception Logs | DLP rule definitions and logs of any exceptions granted with justification |
| Physical Media Transfer Logs | Courier receipts, chain-of-custody records, and tamper-evident packaging verification |
| Staff Training Records | Attendance logs and completion certificates for information transfer training |
| Third-Party Transfer Agreements | NDAs and data processing agreements with transfer-specific clauses |
| Incident Logs | Records of transfer policy violations, investigations, and corrective actions |
Cross-Framework Mapping
If your organization maintains compliance across multiple frameworks, 5.14 maps extensively to controls in NIST SP 800-53 Rev. 5, SOC 2, CIS, and sector-specific regulations. Understanding these mappings is particularly valuable during multi-framework audits, where demonstrating that a single transfer control satisfies requirements across ISO 27001, SOC 2, and NIST simultaneously can reduce duplication of effort.
The table below consolidates the relationships so you can identify where existing controls already satisfy 5.14 requirements — or where gaps remain. Controls marked “Partial” address a narrower scope than 5.14 and will need supplemental measures to achieve full coverage.
NIST 800-53
| NIST Control | Title | Coverage |
|---|---|---|
| AC-04 | Information Flow Enforcement | Full |
| AC-17 | Remote Access | Full |
| AC-18 | Wireless Access | Partial — wireless-specific, narrower scope |
| AC-19 | Access Control for Mobile Devices | Partial — mobile device-specific |
| AC-20 | Use of External Systems | Full |
| CA-03 | Information Exchange | Full |
| PE-17 | Alternate Work Site | Partial — alternate work site-specific |
| PS-06 | Access Agreements | Partial — access agreements, narrower scope |
| SA-09 | External System Services | Full |
| SC-07 | Boundary Protection | Full |
| SC-08 | Transmission Confidentiality and Integrity | Full |
| SC-15 | Collaborative Computing Devices and Applications | Partial — collaborative computing-specific |
Other Frameworks
| Framework | Control | Coverage |
|---|---|---|
| SOC 2 | CC6.7 — Restricts the transmission of information | Full |
| SOC 2 | CC6.1 — Logical access controls | Partial |
| CIS Controls v8.1 | 3.10 — Encrypt sensitive data in transit | Full |
| NIST CSF 2.0 | PR.DS-02 — Data-in-transit is protected | Full |
| DORA (EU) | Article 9(4)(d) — Data-in-transit protection requirements | Full |
Related ISO 27001 Controls
Control 5.14 does not operate in isolation. Its effectiveness depends on supporting controls that define classification, labeling, access, cryptography, and legal obligations. If your classification scheme (5.12) is incomplete, your transfer rules lack a foundation. If your cryptography controls (8.24) are weak, your encryption requirements in the transfer policy have no teeth. Implementing 5.14 without these adjacent controls creates gaps auditors will flag.
| Control ID | Control Name | Relationship |
|---|---|---|
| 5.10 | Acceptable use of information and other associated assets | Defines acceptable use that transfer rules must align with |
| 5.12 | Classification of information | Classification scheme determines the transfer protection level required |
| 5.13 | Labelling of information | Labels ensure recipients understand handling requirements before and after transfer |
| 5.15 | Access control | Controls who can initiate or receive transfers |
| 5.31 | Legal, statutory, regulatory and contractual requirements | Legal requirements shape transfer agreements and cross-border restrictions |
| 5.34 | Privacy and protection of PII | PII transfers require additional safeguards beyond standard classification rules |
| 8.10 | Information deletion | Transferred copies must follow retention and deletion schedules |
| 8.24 | Use of cryptography | Encryption is the primary technical mechanism for protecting data in transit |
| 8.25 | Secure development lifecycle | Secure APIs for automated data transfers must be built into development practices |
Frequently Asked Questions
What is ISO 27001 5.14?
ISO 27001 Annex A 5.14 is an organizational control requiring rules, procedures, and agreements to protect information during electronic, physical, and verbal transfer. It covers both internal exchanges and transfers with external parties, with protection scaled to the information’s classification level.
What happens if 5.14 is not implemented?
Without 5.14, your organization faces audit nonconformity that can block certification, uncontrolled exposure of sensitive data through unsecured channels, potential regulatory penalties under GDPR and sector-specific mandates, and erosion of customer trust when transfer failures lead to breaches.
How do you audit 5.14?
Auditors verify that a documented transfer policy exists and aligns with your classification scheme, review the approved transfer methods matrix, inspect TLS and encryption configuration evidence, check DLP logs and exception records, interview staff on transfer procedures, and examine third-party transfer agreements for specificity and enforceability.
How UpGuard Helps
UpGuard’s platform continuously monitors your vendors’ security posture, including their data-in-transit protections, so you can verify transfer controls without relying on self-reported questionnaires alone. Identify gaps in third-party encryption, transfer policies, and compliance before they become audit findings.