Guest user Created: Jan 12, 2016 Last commented: Jan 12, 2016

Applicability of A14 for Data Centre

A large sized organization wishes to implement and certify only the IT Data Center - specifically IT infrastructure. The application development and maintenance is completely excluded from the scope of implementation and certification.

0 0

Assign topic to the user

Select user

Guest

Guest post Jan 12, 2016

Concern is Reference to Annex A: the 14th domain of ISO 27001:2013 - System acquisition, development and maintenance

Can the entire controls of 14th domain be excluded from Statement of Applicability with appropriate justifying statements?

Would certain sub domains of the 14th domain, which do not specify application relevance and in general addresses 'systems' have to be included in Statement of Applicability?

Answer :

You should select the controls based on 1) legal, regulatory and contractual requirements, 2) risk management activity.

You dont tell if A14 controls are excluded due to the rule above or Application Development and Maintenance are outsourced (because you dont have the internal capability) or are simply excluded from the scope for any other reason.

In the second case, what you out source has to be covered by the controls A15.

However, it sounds me strange to certify an empty IT infrastructure. You probably have data and applications on it. A14.1 is then fully mandatory based on the rule in the first sentence.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community