A.5.14 — Information Transfer

A marketing team sends a client list to an external agency via unencrypted email. A developer copies source code onto a USB stick to work from home. A manager discusses confidential restructuring plans in a crowded airport lounge. Each of these is an information transfer — and each one needs rules.

A.5.14 requires the organisation to establish formal transfer rules, agreements and procedures that protect information during transit, regardless of whether the channel is electronic, physical or verbal.

Purpose: To maintain the security of information transferred within an organization and with any external interested party.
Direction: Preventive
Protection goals: Confidentiality, Integrity, Availability
Theme: Organisational
BSI modules: CON.9, CON.1, APP.1.2, APP.5.3, SYS.3.2.1, SYS.4.5, CON.7.A9, APP.5.3.A6, SYS.4.1.A5, SYS.4.1.A15
KPI: % of information transfers conducted via approved and secure transfer mechanisms

Responsible	Information Security Officer / (C)ISO
Accountable	Information Security Officer / (C)ISO
Consulted	Asset Owner, Data Protection Officer, Department Head, Facility Manager, HR Manager, Head of IT, IT Administrator, IT Security Officer, Information Security Officer / (C)ISO, Legal Counsel, Risk Owner, Supply Chain Manager
Informed	All Employees, Asset Owner, Department Head, Head of IT, Information Security Officer / (C)ISO, Supply Chain Manager, Top Management

What does the standard require?

Define transfer rules and procedures. The organisation must establish rules for every type of information transfer — electronic, physical and verbal. These rules must reflect the classification level of the information being transferred.
Establish transfer agreements. When information is shared with external parties, formal agreements must define the protection measures both sides will apply. This includes encryption requirements, handling instructions and liability provisions.
Protect information in transit. Technical and organisational measures must prevent interception, unauthorised access, copying, modification and misdirection during transfer.
Maintain records. The organisation must be able to demonstrate which transfer channels are approved, which agreements are in place and how compliance is monitored.
Address all transfer types. Electronic transfers (email, file sharing, cloud upload), physical transfers (mail, courier, USB media) and verbal transfers (phone, video call, in-person) each need specific rules.

In practice

Map your transfer channels. List every channel the organisation uses to send or receive information: email, messaging platforms, file-sharing services, physical mail, courier, USB devices, verbal discussions. For each channel, determine what classification levels it may carry.

Set minimum protection per classification. Define which technical measures apply at each level. For example: internal-only information may travel via standard corporate email, while confidential information requires end-to-end encryption or a secure file-sharing portal.

Create transfer agreements for external parties. Where information leaves the organisation, draft agreements that specify protection measures, incident notification obligations, return-or-destroy clauses and audit rights. Standard templates speed up the process.

Train employees on verbal transfer risks. Many leaks happen through careless conversations — in open-plan offices, during travel, over speakerphone. Awareness training should cover practical scenarios employees actually encounter.

Implement technical controls. Data Loss Prevention (DLP) tools can detect and block unauthorised transfers. Email gateways can enforce encryption for messages containing classified content. USB port restrictions prevent uncontrolled data export.

Typical audit evidence

Auditors typically expect the following evidence for A.5.14:

Information transfer policy — overarching rules for all transfer types
Channel-specific procedures — detailed instructions per transfer channel
Transfer agreements — signed agreements with external parties covering security requirements
Approved channel register — list of permitted transfer channels per classification level
DLP or monitoring logs — evidence that technical controls enforce transfer rules
Training records — evidence that employees have been trained on transfer procedures

KPI

% of information transfers conducted via approved and secure transfer mechanisms

This KPI tracks whether information actually flows through sanctioned channels. Measurement typically relies on DLP monitoring data, email gateway logs and periodic spot checks. A low score indicates shadow-IT transfer channels that bypass organisational controls.

Supplementary KPIs:

Number of transfer agreements in place versus number of external data-sharing relationships
Number of policy violations detected by DLP tools per quarter
Percentage of USB devices in use that meet encryption requirements

BSI IT-Grundschutz

A.5.14 maps to several BSI modules covering data exchange and media handling:

CON.9 (Information exchange) — core module for establishing transfer rules, agreements and technical safeguards.
CON.1 (Crypto concept) — encryption requirements for electronic transfers.
APP.5.3 (Email/Groupware) — secure email configuration and transport encryption.
SYS.4.5 (Removable media) — rules for handling USB drives, external hard disks and other portable media.
CON.7.A9 (Mobile working) — requirements for information transfer during travel and remote work.

A.5.14 connects the classification framework to operational transfer security:

A.5.12 — Classification of information: Defines the classification levels that determine which transfer channels are appropriate.
A.5.13 — Labelling of information: Ensures information carries the correct label so transfer rules can be applied.
A.5.15 — Access control: Controls who is authorised to initiate or receive transfers.
A.5.16 — Identity management: Verifies the identity of transfer participants.

Sources

ISO/IEC 27001:2022 Annex A, Control A.5.14 — Information transfer
ISO/IEC 27002:2022 Section 5.14 — Implementation guidance
BSI IT-Grundschutz, CON.9 — Information exchange

Frequently asked questions

What counts as an information transfer under A.5.14?

Any movement of information between parties or systems: email, file sharing, USB devices, printed documents, verbal communication. The control covers electronic, physical and oral transfer channels equally.

Do I need a separate transfer agreement for every supplier?

A general information transfer policy covering standard channels is sufficient for most cases. Dedicated transfer agreements become necessary when the sensitivity of the information or the nature of the external party demands specific protections -- for example, when sharing classified data with a subcontractor.

How does A.5.14 relate to A.5.13 (labelling)?

A.5.13 ensures information carries the correct classification label. A.5.14 then ensures the transfer channel matches the protection level that label requires. The two controls work hand in hand.