Expert Advice Community

Guest

Mapping of requirements on controls

  Quote
Guest
Guest user Created:   Jul 22, 2022 Last commented:   Nov 23, 2022

Mapping of requirements on controls

Here’s another question about the mapping of requirements on controls. We have a customer requirements that relates to regular reporting on the effectiveness of the ISMS. I think it would be appropriate to map these on controls A.18.2.*. From the mapping document this does not seem to be the possible. There is no corresponding ‘Compliance’ are that can be selected. Actually, A.18.* controls are absent from the mapping altogether, as is the case for A.7 Human resources controls. Should a compliance area not be selectable in the requirements register and should A.18.* not be mapped as a result of mapping onto this area? Or any other area?

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 22, 2022

Please note that a customer requirement related to regular reporting on the effectiveness of the ISMS can be best addressed by options “Reporting the performance of information security” or “Internal auditing”, and both are related to mandatory requirements, so they do not require any control to be applicable to be implemented.

Quote
0 0
Guest
Guest user Nov 22, 2022

Earlier I noted that it is not possible to map a requirement, specifically a requirement by the Data Insurance company, to map a requirement for security awareness training onto Human Resource control 7.2.2. In fact, a Human Resources area is missing altogether. I understood that this would be added, but I still can not see it. When will this become available?

Quote
0 0
Expert
Rhand Leal Nov 23, 2022

Please note that to map an external requirement such as a requirement for an Insurance company, you should use the Register of Requirements module.

In the field “To what area is this requirement related?” you can use the option “Specifying mandatory safeguards”, and in the field “Description of the requirement,” you can inform clause A.7.2.2.

As for the security awareness training, you can record this need in the Training module.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 22, 2022

Nov 23, 2022

Suggested Topics