Referencing to security controls in policies and procedures
At the the start of the document ‘Beleid voor aanvaardbaar gebruik’ (acceptable use of information & means) you reference a number of control objectives from Annex A. These are referenced in an un-specific manner, without being specific about the way these are documented in this ‘Beleid’ or implemented individually.Does this not defeat the specific connection between risks and mitigating security measures, or are you of the opinion that that aspect (iso27k 6.2) is covered sufficiently in the ’risk treatment plan’.
Clause 9.1 - measurement in ISO 27001 toolkit
I was reviewing the ISO 27001 standard and was reading section 9.1 about monitoring, measurement, analysis, and evaluation. How does your documents deal with this? I know at the end of some of the documents, I've seen sections called "managing records kept on the basis of this document". This isn't how you are trying to monitor the effectiveness of processes and controls is it? Have I overlooked a document... I'm not really seeing anything that addresses 9.1. I guess when I read 9.1 about monitoring, measurement, analysis, and evaluation, I'm thinking it is something more driven around key performance indicators (KPI's), Service level agreements (SLA's), or something that would show stats about the effectiveness and relevancy where there was more of a system that gave analytics of some type. What are your thoughts?