Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
organisational Preventive Protect High Priority

A.5.14 Information Transfer

M365 Admin Path: Microsoft Purview compliance portal > Data loss prevention

Evidence Source: Microsoft Purview and Intune

What is A.5.14 Information Transfer?

ISO 27001 control A.5.14 Information Transfer maintains the security and privacy of information in transit within the organisation and with external parties. The control enforces classification-aware transfer rules, prohibits unencrypted channels, and uses DLP to monitor and prevent unauthorised data exfiltration. Transfer methods include encrypted email via sensitivity labels, secure file sharing via SharePoint and OneDrive, encrypted Teams messaging, and blocked removable media.

How to implement A.5.14 in Microsoft 365

Implement A.5.14 by applying the principle of least

Implement A.5.14 by applying the principle of least information for all transfers, sending only minimum data needed. Verify recipient identity and authorisation before transfer, especially for external recipients.

Require formal NDAs and contracts for transfer of

Require formal NDAs and contracts for transfer of Confidential or Highly Confidential data to third parties. Configure Microsoft Purview DLP policies to scan all data in transit across Exchange, SharePoint, OneDrive, and Teams.

Ensure Confidential and Highly Confidential sensitivity labels apply

Ensure Confidential and Highly Confidential sensitivity labels apply encryption and information rights management. Configure Intune policies to block removable storage on managed endpoints. Explicitly prohibit FTP, unencrypted email, and consumer file-sharing services.

What an auditor checks for A.5.14

  • Auditors will verify DLP policy configuration showing active monitoring across all locations including Exchange, SharePoint, and Teams.
  • They will review sensitivity label encryption settings for protected labels.
  • Auditors will check Intune device configuration policies blocking removable storage such as USB drives.
  • They will examine DLP activity logs showing policy triggers and user actions.
  • Auditors will verify third-party contracts with data protection and return or destruction clauses are in place for external data transfers.

See how your organisation scores against A.5.14 and all 93 ISO 27001 controls.

Get Your Free Assessment

M365 capabilities that implement this control

SPF Configuration Foundation

Configure SPF records for email authentication and anti-spoofing

DKIM Configuration Foundation

Configure DKIM signing for email authentication

DMARC Configuration Foundation

Configure DMARC policy for email authentication enforcement

Email Branding Foundation

Configure organisation branding and external sender warnings

Email Disclaimers Foundation

Configure email disclaimers and transport rules

Registered Email Encryption Info Gov

Court-admissible proof of encrypted delivery for external communications, closing the evidence gap for A.5.14 (Information Transfer) and A.5.31 (Legal/Regulatory Requirements)

Adaptive Encryption Info Gov

Dynamic TLS-first encryption with AES-256 PDF fallback, delivering securely to recipients' inboxes without portal friction — complementing Purview Message Encryption where external recipients lack Microsoft accounts

Proof of Delivery Info Gov

Registered Receipt records with immutable timestamps, content proof, and self-authenticating encryption evidence — directly addressing A.8.24 (Use of Cryptography) audit requirements

Outbound AI Threat Detection Info Gov

AI-driven detection of sensitive content, lookalike domains, and business email compromise at the point of send, reinforcing A.8.12 (Data Leakage Prevention) with human-in-the-loop awareness