English
Start free trial

June 12, 2026

ISO 27001 evidence for file transfer: A.8 controls that fail audits

ISO 27001:2022 Annex A puts information transfer and logging squarely in scope. Teams pass network and endpoint audits, then fail the surveillance audit because their SFTP share has no exportable evidence. Auditors do not care that files moved successfully — they care that you can prove who moved them and that the control operated for the full period.

A.8.10 — Information deletion

Retention policies must be documented and enforced. "We delete old files manually" is a finding. You need per-folder retention rules, legal-hold override with approval trail, and proof of deletion (timestamp, actor, file identifier). SFTP appliances without lifecycle automation force ops to script cleanup — scripts that break silently and leave auditors with gaps.

A.8.12 — Data leakage prevention

For MFT this maps to access boundaries: who can upload vs download, per-partner isolation, no world-readable directories. Evidence includes role matrices, sample permission exports, and logs showing denied access attempts. Shared inbound folders where any authenticated user reads any file fail this control in regulated industries.

A.8.15 and A.8.16 — Logging and monitoring

Per-transfer events must capture user or service identity, source IP, file name or hash, byte count, protocol, timestamp, and success/failure. Centralized syslog is not enough if fields are incomplete. Auditors sample 20 random transfers and trace each to a log line. Clock sync (NTP) and log integrity matter — if logs can be edited on the same host that stores files, expect a major nonconformity.

Building the evidence pack

Before stage 2, assemble: (1) data-flow diagram from partner to storage, (2) encryption spec (TLS version, cipher suites, at-rest algorithm), (3) three months of exported audit logs, (4) access review sign-off, (5) incident response runbook that mentions file-transfer abuse. Cloud MFT with tenant isolation and one-click audit export collapses weeks of evidence gathering into an afternoon.

Score your readiness with the MFT audit checklist and estimate downtime exposure with the RPO/RTO estimator before surveillance season.