9. Communications Security

This category focuses on ensuring the security of information in networks and its supporting information processing facilities. It involves securing both internal and external communications to prevent unauthorized access, data breaches, and interruptions in communication services.

Controls (A.13):

  • A.13.1.1: Network Controls

  • A.13.1.2: Security of Network Services

  • A.13.1.3: Segregation in Networks

  • A.13.2.1: Information Transfer Policies and Procedures

  • A.13.2.2: Agreements on Information Transfer

  • A.13.2.3: Electronic Messaging

  • A.13.2.4: Confidentiality or Non-Disclosure Agreements

Control A.13.1.1: Network Controls

Audit Questions:

  • What controls are in place to secure internal and external networks?

  • How is network traffic monitored and protected against threats?

Common Non-Conformities (NC):

  • Lack of network security controls.

  • Insufficient monitoring of network traffic.

  • Network vulnerabilities not addressed.

Control A.13.1.2: Security of Network Services

Audit Questions:

  • How is the security of network services ensured?

  • Are there agreements in place with network service providers regarding security requirements?

Common Non-Conformities (NC):

  • Inadequate security measures for network services.

  • No security agreements with service providers.

Control A.13.1.3: Segregation in Networks

Audit Questions:

  • How is network segregation implemented to protect sensitive information?

  • What measures are in place to ensure secure segregation?

Common Non-Conformities (NC):

  • Lack of network segregation.

  • Poor implementation of segregation measures.

Control A.13.2.1: Information Transfer Policies and Procedures

Audit Questions:

  • Are there documented policies and procedures for the secure transfer of information?

  • How are these policies communicated and enforced?

Common Non-Conformities (NC):

  • No documented policies for information transfer.

  • Policies not communicated effectively.

  • Inadequate enforcement of transfer procedures.

Control A.13.2.2: Agreements on Information Transfer

Audit Questions:

  • Are there agreements in place for the secure transfer of information with external parties?

  • How are these agreements reviewed and maintained?

Common Non-Conformities (NC):

  • No agreements for information transfer with external parties.

  • Outdated or insufficiently maintained agreements.

Control A.13.2.3: Electronic Messaging

Audit Questions:

  • What controls are in place to secure electronic messaging systems?

  • How are messaging communications monitored and protected?

Common Non-Conformities (NC):

  • Inadequate security controls for electronic messaging.

  • Lack of monitoring and protection for messaging communications.

Control A.13.2.4: Confidentiality or Non-Disclosure Agreements

Audit Questions:

  • Are confidentiality or non-disclosure agreements (NDAs) in place with employees and third parties?

  • How are NDAs enforced and maintained?

Common Non-Conformities (NC):

  • Lack of confidentiality or non-disclosure agreements.

  • NDAs not enforced or maintained properly.

These detailed questions and common non-conformities provide a better understanding of what auditors typically look for in the Communications Security category and potential areas where organizations might fall short.

Previous8: Operational SecurityNext10. System Acquisition, Development, and Maintenance

Last updated