Expert Advice Community

Home / ISO 27001 & 22301 / ISO 27001 Annex A controls

Guest

ISO 27001 Annex A controls

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Dec 21, 2018 Last commented:   Dec 21, 2018

ISO 27001 Annex A controls

ISO 27001 & 22301
I have a question regarding The Annex A controls within 27001. Do we have to implement all controls (I think total of 115)? For example, looking at the “checklist_of_mandatory_documentation_required_by_ISO_27001_2013.pdf” file within the toolkit, I can see that A.8.1.2 is not within the “Which documents and records are required?” section.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Rhand Leal Dec 21, 2018

Though, we will be also implementing A.8.1.2 (assigning an owner to each asset identified).
Also, in our SOA; we have set A.8.1.1 “inventory of assets” as “no”, reason being we already have an inventory of assets (as stated above we will be assigning asset owners) and during risk assessment none of the risks we found was related to asset inventory.
With this scenario, I am inclined to think that we should have a risk item within risk assessment/treatment documents, directly related to this (inventory of assets). Then, once we have assigned an asset owner to each identified asset, we can close this risk item with A8.1.1 control. In turn, in our SOA; A8.1.1 will then be “yes”?

Answer:

Any control from ISO 27001 Annex must be applied only if one of the following occurs:
- There are risks identified as unacceptable in the risk assessment that require the implementation of the control
- There are legal requirements (e.g., contracts, laws, and regulations) that require the implementation of the control
- There is a top management decision requiring the implementation of the control

If none of these occur there is no need to implement any control considering ISO 27001 requirements.

So, considering your scenario, if you already have an inventory of assets implemented, in your SoA the control must be considered "Applicable", and for justification you should verify why the inventory was implemented (e.g., because of a negative situation that has occurred, because a risk was identified well before the ISMS implementation has started, because you had a legal requirement to fulfill, or because top management has considered the inventory a good practice to be implemented.). There is no obligation for a risk to be used as a justification for a control to be applicable. The same rationale applies to control A.8.1.2 as well.

This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 21, 2018

Dec 21, 2018

Suggested Topics
Guest user Created:   May 01, 2017 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 Annex A controls mapping to products and solutions
Guest user Created:   Nov 11, 2016 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 Annex A controls and the Statement of Applicability
Guest user Created:   Oct 27, 2022 ISO 27001 & 22301
Replies: 1
0 0

ISO27001 clause & controls alignment