SPRING DISCOUNT
Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:
SPRING30

Expert Advice Community

Guest

Annex A

  Quote
Guest
Guest user Created:   Mar 04, 2022 Last commented:   Mar 04, 2022

Annex A

As a small organisation of only 6 staff that does no software development and only uses large-scale third-party systems such as Office 365, Windows 10, etc. am I safe to rule out all section 14 controls within Annex A other than the two listed below?
  • A.14.2.4 Restrictions on changes to software packages
    • Covered by the Change Management Policy
  • A.14.2.7 Outsourced development
    • Covered by the Supplier Security Policy"
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 04, 2022

Please note that according to ISO 27001, security controls can be demanded to treat relevant risks, fulfill legal requirements (e.g., laws, regulations, contracts, etc.), or by management decisions.

Considering that, you need to verify the results of risk assessment, applicable legal requirements, and your management objectives and strategies to decide which controls are applicable / not applicable.

For example, control A.14.2.9 System acceptance testing can be required for the acceptance of new information systems, upgrades, and new versions of the software provided by third parties.

This article will provide you with a further explanation about the selection of controls:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 04, 2022

Mar 04, 2022