Expert Advice Community

Annex A Security controls

  Quote
Created:   Aug 20, 2020 Last commented:   Aug 20, 2020

Annex A Security controls

Q. Do we have to address all the Annex A Security controls on the risk assessment & treatment table. Or do we only list which assets are threats?  Or do we address both as elements – Assets and controls? I’m a bit confused.

I know all the Security Controls need to be addresses on the SoA. Then we indicate which ones are high risk & what implementation we put in place to mitigate those controls.

Also how do you structure the ISMS Manual. Or is it the combination of all the policies and procedures put together.

I’ve only done a ISO 9001 Quality Manual before so not sure if its structured the same way.

Please advise on the above?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Aug 20, 2020

1 - Do we have to address all the Annex A Security controls on the risk assessment & treatment table. Or do we only list which assets are threats?  Or do we address both as elements – Assets and controls? I’m a bit confused.

I know all the Security Controls need to be addressed on the SoA. Then we indicate which ones are high risk & what implementation we put in place to mitigate those controls.

Answer: In the risk assessment table you identify the assets and their related threats and vulnerabilities (assets and threats are different things), so you can identify which risks are relevant to your organization.

In the risk treatment table, you copy only the risks from the risk assessment table you identified as not acceptable, and define the risk treatment option to be applied (i.e., mitigate the risk, avoid the risk, accept the risk or transfer the risk) and applicable controls. You do not need to address all the Annex A Security controls, only those the can treat the risks for which you define the option mitigate the risk or transfer the risk.

For further information, see:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

In the Statement of Applicability, you need to address all controls because you need to justify not only the controls that are applicable, but also justify the controls that are not applicable. 

For further information, see:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

2 - Also how do you structure the ISMS Manual. Or is it the combination of all the policies and procedures put together.

I’ve only done an ISO 9001 Quality Manual before so not sure if its structured the same way.

Answer: Please note that ISO 27001 requirements do not prescribe the development of an ISMS Manual, and for good reasons. If you put all the policies and procedures into a single document, this will make the reading of such a document very difficult. Additionally, the standard already has a requirement for a document that describes how a company will implement its information security – it is called Statement of Applicability.

This article will provide you a further explanation about ISMS Manual:
- Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/

This material will also help you regarding ISMS documentation:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Quote
0 0
Guest
TIM SWART Aug 20, 2020

Thanks this information makes the standard easier to implement.

Good to no you don't have to write a complete ISMS Manual. 

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 19, 2020

Aug 20, 2020

Suggested Topics

Al Matthew Created:   Sep 22, 2023 ISO 27001 & 22301
Replies: 1
0 0

Screening and vetting policy

Guest user Created:   Aug 01, 2023 ISO 27001 & 22301
Replies: 1
0 0

Documentation package content

Guest user Created:   Jun 13, 2023 ISO 27001 & 22301
Replies: 3
0 0

Data leakage prevention