Control A7.1.1
Control A7.1.1 is partially applied to Brazil under the law. In this case, can I put NO in the SOA and explain this or do I have to put YES and explain the exceptions?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
By your question, it is not clear if the law you are referring to demands screening, or defines restrictions to screening.
Considering that, in case you identify a need to implement control A.7.1.1, but this implementation has legal limitations, you have to state in the SoA that this control is applicable with limitations, briefly explaining the exceptions. An example of a justification where you have a legal requirement demanding the control (e.g., a customer contract), but you also have another legal requirement defining limitations on its applicability would be "Control required by Customer contract ABC, limited by Brazilian Consolidation of Labor Laws (CLT)".
This article will provide you further explanation about applying security controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Comment as guest or Sign in
Apr 20, 2020