Expert Advice Community

Guest

Annex controls in SOA

  Quote
Guest
Guest user Created:   May 13, 2020 Last commented:   May 13, 2020

Annex controls in SOA

I am a little confused on the SOA document, this document is suppose to directly reference the Annex A controls, in the SOA it says 

https://www.screencast.com/t/hx3EjFzq

There is no a.5.1.1 in the annex A controls I have, also 6.1 in the SOA talks aboutInformation security roles and responsibilities. where did that come from in Annex A controls?  I just have BYOD and mobile device policies.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal May 13, 2020

Please note that there is no need for a folder A.5 in the toolkit because the policies needed to fulfill the controls from section A.5 from ISO 27001 Annex A are included in all other folders that make part of the folder 08 Annex A. In short, controls from section A.5 are not documents by themselves, but refer to other documents (A.5.1.1), and practices to be performed on them (A.5.1.2).

Regarding controls from section A.6.1, please note that roles and responsibilities are defined in each policy and procedure, so there is no need for a specific document to cover control A.6.1.1.

According to our experience, the BYOD and Mobile Device and Telework policies are sufficient to cover the controls of section A.6.

Additionally, is important to understand that ISO 27001 does not require every applicable control to be a separate document. In some cases, you only need to make a brief description of how it is implemented, and you can do that in our SoA template, in the column "Implementation Method".

This article will provide you a further explanation about the Statement of Applicability:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 13, 2020

May 13, 2020

Suggested Topics