Conformio documentation access
Assign topic to the user
Please note that only the documents from ISO 27001 Documentation Toolkit are included in Conformio.
Considering that, documents “Cloud Security policy” and “Policy for data privacy in the cloud” are not available in Conformio.
Regarding the other documents you mentioned, they will appear automatically in the Step-by-step wizard once the List of Legal Requirements, Risk Register, Statement of Applicability and Risk Treatment Plan are completed. Two observations are important:
- The "Secure system engineering principles” is not a document but a control, which is covered in the “Secure Development Policy”.
- The “Business continuity procedure” is not required by ISO 27001, to cover continuity of information security it is enough to have the “Disaster recovery plan”.
First thanks for the platform, it really makes a difference when implementing the ISO 27001.
As I was explaining to Aleksandra, it is my first time implementing the 27k, however I've done the 9k, 14k and 18k a few times.
Here we are aiming to certificate the 01, 17 and 18 as I mentioned before, and yesterday I had the chance to see the 17 and 18 for the first time, I know what is the idea behind them, but now I am not 100% sure about what controls/policies I should implement and worry about.
From 27017/18 (controls with implementation guide) and Annex A of 27017/18 my question is, can I skip most/few of them, or should I implement everything, or the one I think is the right one, just the ones applicable to the company's scope.
This question came after I saw the Annex A from 17 and 18. Not sure how to deal with them now.
I hope you can help me.
First is important to note that unless you have specific requirements demanding the use of ISO 27017 and ISO 27018 (e.g., laws, regulations, or contracts), controls available in ISO 27001 are sufficient to cover cloud security.
Considering that, please note that the application of ISO 27017 and ISO 27018 controls follow the same principles as for ISO 27001: controls are selected according to the results of risk assessment, applicable legal requirements, or as a top management decision.
As a result, to be compliant with ISO 27001 when using ISO 27017 and ISO 27018:
- you need to implement controls identified as needed to treat relevant risks and defined by legal requirements
- you can skip controls for which you do not have legal requirements or not have relevant risks demanding their implementation
- you can implement the ones top management considers as a good practice.
This article will provide you a further explanation about controls selection:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding controls selection:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Apr 26, 2021