ISO 27001 controls: What is Annex A:13?

Learn how to protect your organisation's network security with ISO 27001 Annex A:13. Discover essential controls for managing information transfer, network services, and electronic messaging. Continue reading for expert guidance from Citation Certification.
ISO 27001 controls: What is Annex A:13?

Information Security – ISO 27001 and its controls – like Annex A:13 – focus on securing information from unauthorised access, to ensure that your organisation remains protected while operating online. So, with ISO 27001 and its set of controls, what is Annex A:13, and how does understanding this help you implement an information security management system?

Annex A:13 is all about network security and guidance on how to protect the information stored in network applications.

ISO 27001 provides a list of controls where one can analyse the threats and fill the gaps using the Checklist. One of these controls, Annex A:13, is what we’ll be talking about today and what it looks like in the context of your organisation.


Annex A:13 Communication security

The main objective of this Annex is to ensure the protection of information in networking areas. It is as important a part of ISMS systems as the other controls.

If you are looking to achieve ISO 27001 certification, you must understand these controls too.


A:13.1 Network security management

To ensure the protection of information in networks and its supporting information processing facilities.


Annex A:13.1.1 Network controls

In the era of technology, most businesses run on networking systems. These systems are attractive targets for malware and ransomware. Annex A:13 guides you to protect information security by managed and controlled procedures. Technical controls may include endpoint verification, firewall protection, and physical, logical, and virtual segregation. Any organisation working digitally must implement procedures to identify and eliminate threats by applying these Annex A:13 controls.

Annex A:13.1.2 Security of network services

To help the system, network security agreements must be implemented. Security mechanisms, service levels, and management requirements of all network services shall be identified. These services could be in-house or outsourced by a supplier or contractor. A risk assessment plan should be prepared if there is any threat to the network systems.

Annex A:13.1.3 Segregation in networks

Network segmentation involves partitioning a network into smaller networks, while network segregation involves developing and enforcing a ruleset for controlling communications between specific hosts and services. Thus, the alignment group of information services, its users, and other information systems shall be segregated on networks.


Annex A:13.2 Information transfer

To maintain the security of information transferred within an organisation and with any external entity.


Annex A:13.2.1 Information transfer policies and procedures

This control’s main objective is to maintain the security of any information received or sent on the networks. To protect the transferees by using all types of communication facilities, official transfer policies, procedures, and controls should be developed. This ensures that no entity can alter, detect, or manipulate the originality of the information.

Annex A:13.2.2 Agreements on information transfer

The management of the transmission, dispatch, and control should be notified to the relevant parties. A mutual agreement to protect the information transmitted should be created. Agreements should address secure transfers of business information between the organisation and outside parties.

Annex A:13.2.3 Electronic messaging

There are various kinds of messages, such as email systems, exchanges of electronic data, and social networking. Any electronic transmission method must provide a secure networking zone. Users must ensure that the data transferred electronically addresses the correct recipient. A formal approval before using external public authorities, such as instant messaging, social networking, or file sharing, can help maintain information security.

Annex A:13.2.4 Confidentiality or non-disclosure agreements

Any information sharing via any networking method must include a digital confidentiality agreement. For instance, a non-disclosure statement at the end of emails. However, a formal agreement while sharing highly confidential information protects more than other sources. It gives legal binding on the parties. The agreement must be signed before the exchange of any information.

Certification made simple

Want to know more about Certification to ISO/IEC 27001 Information Security Management Systems? Get in touch with Citation Certification today.

Take your business to the next level

What are you interested in?
Your data will be processed inline with our Privacy Policy.
This field is for validation purposes and should be left unchanged.