Annex controls in SOA
I am a little confused on the SOA document, this document is suppose to directly reference the Annex A controls, in the SOA it says
There is no a.5.1.1 in the annex A controls I have, also 6.1 in the SOA talks aboutInformation security roles and responsibilities. where did that come from in Annex A controls? I just have BYOD and mobile device policies.
Assign topic to the user
Please note that there is no need for a folder A.5 in the toolkit because the policies needed to fulfill the controls from section A.5 from ISO 27001 Annex A are included in all other folders that make part of the folder 08 Annex A. In short, controls from section A.5 are not documents by themselves, but refer to other documents (A.5.1.1), and practices to be performed on them (A.5.1.2).
Regarding controls from section A.6.1, please note that roles and responsibilities are defined in each policy and procedure, so there is no need for a specific document to cover control A.6.1.1.
According to our experience, the BYOD and Mobile Device and Telework policies are sufficient to cover the controls of section A.6.
Additionally, is important to understand that ISO 27001 does not require every applicable control to be a separate document. In some cases, you only need to make a brief description of how it is implemented, and you can do that in our SoA template, in the column "Implementation Method".
This article will provide you a further explanation about the Statement of Applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
Comment as guest or Sign in
May 13, 2020