Here’s another question about the mapping of requirements on controls.
We have a customer requirements that relates to regular reporting on the effectiveness of the ISMS. I think it would be appropriate to map these on controls A.18.2.*. From the mapping document this does not seem to be the possible. There is no corresponding ‘Compliance’ are that can be selected. Actually, A.18.* controls are absent from the mapping altogether, as is the case for A.7 Human resources controls.
Should a compliance area not be selectable in the requirements register and should A.18.* not be mapped as a result of mapping onto this area? Or any other area?
Please note that a customer requirement related to regular reporting on the effectiveness of the ISMS can be best addressed by options “Reporting the performance of information security” or “Internal auditing”, and both are related to mandatory requirements, so they do not require any control to be applicable to be implemented.
Earlier I noted that it is not possible to map a requirement, specifically a requirement by the Data Insurance company, to map a requirement for security awareness training onto Human Resource control 7.2.2. In fact, a Human Resources area is missing altogether. I understood that this would be added, but I still can not see it. When will this become available?