Guest user Created: Aug 23, 2018 Last commented: Aug 23, 2018

Are Annex A.11 controls mandatory?

My question is regarding the Annex 11 Physical and environmental control from the ISO27001 standard, whether there is mandatory requirement to have internal or outsourced physical security (human) in the company building? Or this control is implemented based on the company risk assessment.

0 0

Assign topic to the user

Select user

Expert

Dejan Kosutic Aug 23, 2018

Answer:

ISO 27001 says that none of the controls are mandatory, and that you have to apply a control only if there is a reason to do so. The reasons could be risk assessment, contractual or regulatory requirement, or e.g. business decision from your management.

So physical and environmental controls are not mandatory, and you should apply them only if the risks are too high, if you have some client asking you to do this, or if there is some other business reason to do so.

This article will help you: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

These materials will also help you regarding risk assessment and contr ols:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Aug 23, 2018

Expert Advice Community