Access control and working in secure areas
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Having in mind that first one is mandatory and the second one is not, how does it sound to merge them together? I find it much more comfortable and logical to have these procedures together, if there is a clear distinction in the document regarding facilities and systems/ equipment / networks and so on. Is this a valid approach?
Answer:
First it is important to note that controls from ISO 27001 Annex A are mandatory only if at least one of these situations happen:
- There are unacceptable risks that justify the application of the control
- There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with that demands the application of the control
- There is a top management decision to implement the control, by considering it as good practice.
If no one of the above conditions happen, there is no need to implement a document related to that control.
Considering that, you can merge these two controls in a single document if this makes easier for your organization to understand and implement them.
These articles will provide you further explanation about selecting controls and access control:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
Comment as guest or Sign in
Apr 13, 2019