A.5.14 Information Transfer

What is this control?

ISO 27001 control A.5.14 Information Transfer maintains the security and privacy of information in transit within the organisation and with external parties. The control enforces classification-aware transfer rules, prohibits unencrypted channels, and uses DLP to monitor and prevent unauthorised data exfiltration. Transfer methods include encrypted email via sensitivity labels, secure file sharing via SharePoint and OneDrive, encrypted Teams messaging, and blocked removable media.

How to implement in Microsoft 365

Implement A.5.14 by applying the principle of least information for all transfers, sending only minimum data needed. Verify recipient identity and authorisation before transfer, especially for external recipients. Require formal NDAs and contracts for transfer of Confidential or Highly Confidential data to third parties.

Configure Microsoft Purview DLP policies to scan all data in transit across Exchange, SharePoint, OneDrive, and Teams. Ensure Confidential and Highly Confidential sensitivity labels apply encryption and information rights management. Configure Intune policies to block removable storage on managed endpoints.

Explicitly prohibit FTP, unencrypted email, and consumer file-sharing services.

What an auditor looks for

Auditors will verify DLP policy configuration showing active monitoring across all locations including Exchange, SharePoint, and Teams. They will review sensitivity label encryption settings for protected labels. Auditors will check Intune device configuration policies blocking removable storage such as USB drives.

They will examine DLP activity logs showing policy triggers and user actions. Auditors will verify third-party contracts with data protection and return or destruction clauses are in place for external data transfers.

Related controls

• A.5.12
• A.8.12