Information security ISO 27001

2 Min

ISO 27001 - Annex A.13 - communications security

DataGuard
DataGuard

Annex A.13 Communications Security protects information and information systems from unauthorised access or modifications. A system's effectiveness is measured by how well it accomplishes its objectives while still preserving the ability to produce useful output. 

It is an important part of the ISMS (Information security management system) which covers all areas where the organisation is at risk of security breaches. This also applies to any third party that interacts with the organisation's IT systems.

This blog discusses communications security (COMSEC), its controls, and the importance of protecting information and information systems from unauthorised access or modification.

What is Annex A.13?

Annex A.13 communications security is a broad subject that includes hardware, software, procedures and personnel which safeguard the transfer of information in storage, over transmission lines and via radio waves.

Hardware, software, procedures and personnel include components such as:

  • Hardware
    The physical components of a system (e.g., computers, printers and fax machines) that house equipment or components that process data into information.
  • Software
    Programs or operating systems used to operate these devices; examples include word processing applications like Microsoft Word or graphic design programs such as Adobe Illustrator.
  • Procedures
    Rules established by an organisation to provide guidelines for its employees about how work should be performed within an organisational context. Examples include password protection policies to protect sensitive data files from unauthorised access or encryption algorithms used during transmission of confidential documents across unsecure networks.
  • Personnel
    Human resources working within organisations whose actions affect its overall security policy. Examples include employees who may unintentionally leak sensitive information about their employer through social media posts containing exclusive information about their company's clients' financial transactions.

It's recommended that Annex A.13 is used in conjunction with other security measures and guidance, such as the Annex A controls along with the ISMS. 

What is communications security?

Communications security is a part of information security, which in turn is a component of IT security. Information security refers to the set of policies and processes designed to ensure that data remains secure throughout its lifecycle.

Protecting networks, computers, as well as smartphones against cyber threats is the focus of data privacy. Therefore, when a system accomplishes its goals without causing any complications for its users, it is considered effective.

Annex A.13 also applies to any third-party suppliers and customers that interact with the organisation's IT systems. This includes websites, e-Mail, data storage and processing facilities.

Why is communications security important?

In a business context communications security helps prevent risk of the following types of damages:

    • Financial loss: The risk of unauthorised disclosure, modification, destruction or misuse of information would result in tangible loss such as theft or fraud.
    • Damage to reputation: The risk of harm to your company's image, brand and/or customer loyalty due to non-compliance with security regulations and/or poor management practices. This can lead to loss of customers and contracts as well as a decrease in revenue and profits.
    • Loss of public trust: The risk of sensitive information being disclosed inappropriately due to insufficient security controls.
 

What are the Annex A.13 controls?

A.13.1 Network Security Management

Protecting data in networks and the information processing facilities that enable them is the objective of this Annex. Two of the most important things to focus on in this section are the management of network security and the maintenance of data integrity and availability.

A.13.1.1 Network controls

A company's network must safeguard itself against intrusions, interceptions, and other forms of data manipulation techniques. In order to protect your firm from external threats, you will need to have an in-depth understanding about your network's requirements, dangers, and assets. When developing a security policy, you should consider both internal and external threats.

Controls relevant to the situation include, but are not limited to:

  • Firewalls and preventive systems
  • Lists of access controls 
  • Connection controls
  • End point verifications
  • The separation of networks

A.13.1.2 Security of network services

Establishing security measures to safeguard data sent across a network should be completed according to the results of the risk assessment. Security standards, business requirements, and possible risks should all be considered when drafting network service agreements.

A.13.1.3 Segregation in networks

There should be separate systems in place for various sorts of users and information networks. Sections for public, departmental, critical and management access should all be maintained separately. Instead of depending on one another, it is safer to have each service handle its own procedures.

A.13.2 Information transfer control

This ensures the safety of any data sent to and received from within and outside the company.

A.13.2.1 Information transfer policies and procedures

You'll need policies to keep data safe as it travels across your network. A variety of standards should be supported, and policies and procedures for the transfer of these risks must be in place.

A.13.2.2 Agreements on information transfer

Your company's agreements with outside representatives should explicitly state that any data transmitted or received must be kept secret and intact. Protecting both physical and digital copies of information should be done in accordance with the agreement's specific categorisation standards.

A.13.2.3 Electronic messaging

Digital messaging systems must be safeguarded from cyber threats and connected to policy criteria about suitable e-messaging for different types of content. Identity theft and fraud may occur if sensitive financial information is sent over electronic communication channels without appropriate security safeguards in place. In this, encryption, masked communication, and monitoring must all be incorporated.

A.13.2.4 Confidentiality or non-disclosure agreements

Non-disclosure agreements are critical when it comes to protecting data. 

Generally, nondisclosure agreements may be divided into the following groups:

  • Unilateral
  • Bilateral/ Multilateral

Conclusion

It is important to remember that the communications security depends on several factors, including the type of equipment you use and how you send messages. If in doubt, always follow best practice guidelines provided by your organisation. Annex A.13 is critical to your organisation's implementation of ISO 27001 since it demonstrates good security practices and gives you a competitive advantage.

DataGuard helps organisations implement ISO 27001 for the external audit. Interested in taking Information Security to the next level? Book an appointment and get in touch with our experts today.

Book an appointment

 
Originally published updated
InfoSec Beginners Guide 212x234 UK InfoSec Beginners Guide 800x600 MOBILE UK

Information Security 101

Learn how an ISMS (Information Security Management System) can protect your organisation.

Get your free guide
Tags Information security ISO 27001

About the author

DataGuard DataGuard
DataGuard

Explore more articles

Don’t miss these topics:

Related Articles

Why resilience requirements are key to long-term business success
Information security

6 Min

Why resilience requirements are key to long-term business success

Discover how resilience strategies, from risk assessment to adaptability training, help businesses reduce financial losses, protect reputation, and retain customers.

Read more
The key components of a compliance risk assessment matrix
Risk management

4 Min

The key components of a compliance risk assessment matrix

Learn why a compliance risk assessment matrix is crucial, its key components, and how it strengthens risk management to protect your organisation.

Read more
From identification to mitigation: Understanding risk assessment methodology
Risk management

6 Min

From identification to mitigation: Understanding risk assessment methodology

Explore the steps and methodologies of risk assessment to manage vulnerabilities, reduce risks, and implement effective mitigation strategies for your business.

Read more
What is policy lifecycle management and why is it important?
Information security

6 Min

What is policy lifecycle management and why is it important?

Effective policy lifecycle management ensures compliance, improves communication, and streamlines updates for continuous improvement and risk reduction.

Read more
How to perform a privacy impact assessment: a step-by-step guide
GDPR

6 Min

How to perform a privacy impact assessment: a step-by-step guide

Learn the essentials of conducting a privacy impact assessment to identify and mitigate data risks, comply with GDPR, and enhance trust and security.

Read more
The benefits of using a risk management framework for risk mitigation
Risk management

5 Min

The benefits of using a risk management framework for risk mitigation

Discover how a risk management framework identifies, prioritises, and mitigates risks to support compliance, resilience, and informed decisions.

Read more

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Transparent consent collection
  • Comply with GDPR, CCPA, LGPD, ePrivacy, and more
  • Consolidate consents across multiple touchpoints
  • Support from privacy experts
  • Integrates with your marketing tools and CRM

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Let's talk