A.12.5.1 Vs A.12.6.2
I would like to clarify on document required against Annexure A ControlsA-12.5.1 and A-12.6.2
We have a written document against A.12.6.2 which specifies
Users cannot install any software
Only IT can install software
All software to be approved by IT
Software installation by end-users requires exception with risk impact.
Is there a separate document required against A.12.5.1?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
No separate document is required.
Please note that control A.12.5.1 only requires a procedure for software installation to be implemented, but it does not require you to be specific about which users can install software. If you require restriction for users (e.g., only IT staff can install software or end-users only have install rights under specific conditions), you will need to complement procedure with recommendations of control A.12.6.2.
Comment as guest or Sign in
Apr 01, 2020