Guest user Created: Feb 13, 2018 Last commented: Feb 13, 2018

Applicability of controls

I have a question: I marked the whole section A.16 Information Security Incident Management as not applicable. You have made no comment on that. My question is this: Is that even allowed? Can it make any sense to not have an Incident Management system, when you strive to work in accordance with the PDCA cycle?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Feb 13, 2018

Answer: A control from Annex must be applied only if one of the following occurs:
- There are risks identified as unacceptable in the risk assessment that require the implementation of the control
- There are legal requirements (e.g., laws, regulations, contracts, etc.) that require the implementation of the control
- There is a top management decision requiring the implementation of the control

If none of these occurs there is no need to implement a control considering ISO 27001 requirements (what occurs in fact is that hardly one of these won't happen regarding incident management - is extremely rare that a company does not have any control from section A.16). Since you did not provide the justification for exclusion in your documen t it is not possible to evaluate is the exclusion acceptable or not (at the beginning of the document, about control A.6.1.1, there is a comment about the same issue - justification for inclusion/exclusion).

This article will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Feb 13, 2018

Expert Advice Community