Communication Security
I want to know how to document network controls when we don't have a specific server for our company connecting the computers.
All our databases are cloud based, so we don't require a server. Can I exclude A.13.1 fully.
Assign topic to the user
I'm assuming your organization is using outsourced cloud services.
Considering that, you can exclude controls only if you do not have relevant risks that can be treated by them, and there are no legal requirements (e.g., laws, regulations, or contracts). For example, the organization needs to implement a control to fulfill GDPR, or there are relevant risks related to information backup.
When using outsourced cloud services, you can verify if the provider has implemented such controls. In case they did, define in Statement of Applicability that the required controls are implemented by the provider.
This article will provide you a further explanation about supplier management:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
Comment as guest or Sign in
Jul 10, 2020