ISO 27001 - Annex A.13 - Communications Security

Dec 26, 2023by Maya G

A.13 of Annex Information and information systems are shielded from unauthorised access and manipulation via communications security. The efficiency of a system is determined by how well it achieves its goals while still maintaining the capacity to provide valuable output.

ISO 27001 Annex A.13  Communications Security, ISO 27001


The ISMS (Information Security Management System) cover all areas where the organization is at risk of security breaches and includes it as a crucial component. This also holds true for any outsider who communicates with the organisation’s IT systems.

ISO 27001 What is Annex A.13?

Annex A.13 of the ISO 27001 standard defines the requirements for an Information Security Management System (ISMS). It is the guidance document that organizations must follow in order to implement and maintain an ISMS.

The purpose of Annex A.13 is to provide a framework for an ISMS that will protect an organization’s information assets from unauthorized access, use, disclosure, or destruction.

Annex A.13 is divided into four sections:

  • Section 1: Introduction
  • Section 2: Scope
  • Section 3: Terms and definitions
  • Section 4: Information security management system requirements

If you are planning on implementing an ISMS, then you must read Annex A.13 of the ISO 27001 standard.

What is communications security?

Communications security is the practice of protecting communications systems and information from unauthorized access or interception. It includes measures to protect the confidentiality, integrity, and availability of information.

ISO 27001 Implementation toolkit, ISMS

There are three primary types of security controls:

  • Preventative controls: These measures are designed to prevent unauthorized access or interception of information.
  • Detective controls: These measures are designed to detect unauthorized access or interception of information.
  • Corrective controls: These measures are designed to correct any unauthorized access or interception of information.

In order to effectively secure communications systems and information, all three types of security controls must be implemented.

Why is communications security important?

Communications security is the practice of protecting communications from unauthorized access or interception. It is a vital part of any security program, as it helps to protect the confidentiality, integrity, and availability of data and information.


There are many reasons why communications security is important, but some of the most important ones are listed below:

  • To protect the privacy of individuals and organisations.
  • To safeguard the confidentiality of business information.
  • To ensure the integrity of communications.
  • To prevent unauthorized access to systems and networks.

What are the Annex A.13 controls?

1. A.13.1 Network Security Management :

A.13.1 Network Security Management is a set of tools and techniques used to protect networks from unauthorized access and other threats. It includes developing, implementing, and maintaining network security policies, procedures, and systems.
A.13.1 Network Security Management aims to ensure the confidentiality, integrity, and availability of data and networks. It also helps to protect against denial-of-service attacks, data breaches, and other cyber security threats.
A.13.1 Network Security Management is an important part of ISO 27001, a global standard for information security management. A.13.1 Network Security Management is a required control in ISO 27001, and it must be implemented to be compliant with the standard.

why is communication security is important, ISO 27001, ISMS, Communication Security

A.13.1.1 Network controls:

A.13.1.1 Network controls are a set of guidelines and procedures that are designed to protect networks from unauthorized access and misuse. They are an important part of any security system, and they should be implemented in order to ensure the confidentiality, integrity, and availability of data and resources.
There are many different types of network controls, and they can be categorized into four main types: physical, logical, administrative, and technical.

  • Physical controls are designed to physically protect network components.
  • Logical controls are designed to restrict access to network resources.
  • Administrative controls are designed to establish rules and procedures for users.
  • Technical controls are designed to prevent or detect unauthorized access.
  • Network controls are an important part of any security system, and they should be implemented in order to ensure the confidentiality, integrity, and availability of data and resources.

A.13.1.2 Security of network services :

The security of network services is essential to protecting the confidentiality, integrity and availability of information. ISO 27001 is an information security standard that provides guidance on how to secure network services. A.13.1.2 is the specific requirement in ISO 27001 for the security of network services.
To meet this requirement, organisations need to put in place controls to secure their network services. These controls can include measures such as firewalls, intrusion detection systems and access control systems.

A.13.1.3 Segregation in networks :

One of the requirements of ISO 27001 is segregation in networks. This is important because it helps to ensure that there is no unauthorized access to the network and that the data is protected.
There are two types of segregation: logical and physical.

  • Physical segregation is when the network is physically separate from the rest of the network. This could be done by using different network cards or by using different physical locations.
  • Logical segregation is when the network is logically separate from the rest of the network. This is done by using different IP address ranges, different VLANs, or different subnets.

There are many benefits of segregation, and it is an important requirement of ISO 27001. By implementing segregation, you can ensure that your data is protected and that the network is secure.

ISO 27001 Implementation Toolkit, ISO 27001 Bundle

2. A.13.2 Information transfer control:

The purpose of A.13.2 Information transfer control is to ensure that information is only transferred to authorized individuals, without the unauthorized individuals being able to access or tamper with the information.
There are two main types of information transfer controls:

  1. Physical controls
  2.  Electronic controls
  • Physical controls involve the use of physical devices to prevent unauthorized individuals from accessing information. For example, locked cabinets, security guards, and reinforced doors.
  • Electronic controls involve the use of software to prevent unauthorized individuals from accessing information. For example, user authentication, encryption, and activity logs.

A.13.2.1 Information transfer policies and procedures :

A.13.2.1 Information transfer policies and procedures (ISO 27001) sets out the requirements for organizations to develop and implement policies and procedures for the transfer of information.
The standard covers the following objectives:

  • To prevent the unauthorised disclosure of information
  • To ensure that information is correctly and safely transferred.
  • To ensure that information is appropriately security labelled.
  • To ensure that information is transferred using secure methods.

Organisations should consider the following when developing their policies and procedures:

  • The security risks associated with the transfer of information.
  • The types of information that are transferred.
  • The need to share information with external organisations.
  • The need for security when transferring information.
  • The need to protect the organization's interests.

 A.13.2.2 Agreements on information transfer:

A.13.2.2 Agreements on information transfer(ISO 27001)manage information security risks arising from the unauthorized disclosure of information. The organization shall establish and maintain documented agreements with external parties who have been authorized to receive organizational information.
These agreements shall specify the information security requirements that must be met by the external party. They shall be reviewed and updated as necessary, and as a minimum, whenever there is a change in information security risks or the external party’s security controls.
The organization shall ensure that information disclosed to an external party is subject to an agreement that includes confidentiality provisions, if required by the organization.

3. A.13.2.3 Electronic messaging

Organizations need to A.13.2.3 Electronic messaging(ISO 27001) secure their email communications to protect the confidentiality, integrity and availability of their information. Email is often used to send and receive sensitive information, such as financial data or customer records, making it a prime target for attack.
In order to A.13.2.3 Electronic messaging(ISO 27001) securely, organizations need to adopt a few best practices, such as encrypting email messages, using secure protocols, and authenticating email messages. By following these best practices, organizations can protect their email communications from attackers and ensure the confidentiality, integrity and availability of their information.

4. A.13.2.4 Confidentiality or non-disclosure agreements

A.13.2.4 Confidentiality or non-disclosure agreements (ISO 27001) is a standard that provides guidance on confidentiality agreements and how they should be used in order to protect information.
Confidentiality or non-disclosure agreements may be appropriate when dealing with information security with other organizations, for example, when outsourcing or engaging in joint ventures. The agreement should identify the information to be protected and the party responsible for its security.

Conclusion:

It is crucial to keep in mind that a variety of factors, including the equipment you use and how you send messages, affect communications security. When in doubt, always abide by the best practise recommendations made by your organisation. The implementation of ISO 27001 by your company must include Annex A.13 since it exhibits best security practises and gives you a competitive edge.

ISO 27001, ISO 27001 Implementation Toolkit, ISMS