When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this to define which transfer methods are approved for each information classification and what controls must be used.
Transfer rules
| Classification | Internal email | External email | Secure portal/file sharing | Messaging apps | Removable media | Physical/courier | Verbal/phone | Required controls |
|---|---|---|---|---|---|---|---|---|
| Public | Allowed | Allowed | Allowed | Allowed | Allowed | Allowed | Allowed | Owner approval before publication |
| Internal | Allowed | By exception | Approved internal tools | Approved tools only | By exception | Controlled | Avoid public discussion | Recipient check |
| Confidential | Approved channels | Secure method only | Approved secure portal | Restricted | Encrypted and approved | Tracked transfer | Private setting only | Encryption, access control, logging |
| Highly confidential / regulated | Restricted | By exception with approval | Restricted secure portal | Prohibited unless approved | Strongly restricted | Tamper-evident/tracked | By exception | Formal approval, strong encryption, receipt confirmation |
Transfer checklist
- Information classification confirmed.
- Recipient identity verified.
- Transfer channel approved for classification.
- Encryption or secure portal used where required.
- External sharing approved where required.
- Third-party agreement exists where required.
- Retention and deletion expectations understood.
- Transfer logged or evidence retained where required.
- Incident process known if transfer fails or goes to wrong recipient.
Related notes
- Template
- Iso27001
- A5 14
- Information transfer
Note Metadata
Aliases: Information Transfer Matrix
Source: 90 Templates/Information Transfer Rules Matrix.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.13 - Labelling of Information
- ISO 27001 A.5.14 - Information Transfer
- ISO 27001 A.5.19 - Information Security in Supplier Relationships
- A.5.14 Audit Evidence Pack
- A.5 Organizational Controls Implementation Guide
- ISO 27002 Annex A Control Interpretation Map
- A.5.14 Audit Checklist
- Approved Sensitive Data Flow Register
- Information Classification and Handling Matrix
- Third-Party Information Transfer Agreement Checklist
- Templates MOC