Today I had a discussion with an auditor here in XXXX. The discussion was about which controls in Annex A are mandatory (if they are) and why. The auditor insisted (due to instructions she seemed to have) that only the following controls are mandatory (i.e. they cannot be excluded from the ISMS, as she said):
- Α.5.1.1- Policies for information security
- Α.5.1.2 – Review of the policies for information security
- Α.6.1.1- Information security roles and responsibilities,
- Α.12.1.2 – Change management
- Α.18.1.1 – Identification of applicable legislation and contractual requirements
- Α.18.1.2 – Intellectual property rights
After having a look at your website, I found out that the following controls are listed as mandatory:
- Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
- Inventory of assets (clause A.8.1.1)
- Acceptable use of assets (clause A.8.1.3)
- Access control policy (clause A.9.1.1)
- Operating procedures for IT management (clause A.12.1.1)
- Secure system engineering principles (cl ause A.14.2.5)
- Supplier security policy (clause A.15.1.1)
- Incident management procedure (clause A.16.1.5)
- Business continuity procedures (clause A.17.1.2)
- Statutory, regulatory, and contractual requirements (clause A.18.1.1)
I have very much enjoyed your online course. It has provided helpful information and tips but now I am facing a great dilemma. Which of the above information is correct and why…
I only guess that the word ‘documented’ determines which controls are mandatory. However, A.7.1.2 is not described as ‘documented’ in Annex A (I have ISO/IEC 27001:2014). On the other hand, I do not understand why controls in Annex A can be regarded as mandatory. Does this mean that an organization cannot exclude them in the Statement of Applicability even if they are not considered as applicable?! Hard to believe.
As I often trust the information and knowledge provided in your online course, I hope you can provide some satisfactory clarification on this issue.
Answer: Controls listed on ISO 27001 Annex A are mandatory only to treat risks deemed as unacceptable, to comply with laws, contracts or other legal requirements, or if demanded by top management decisions. So, if any one of these reasons apply, an organization cannot state a control as not applicable if it wants to certify its ISMS against ISO 27001.
Considering the controls mentioned by the auditor, they are needed to support the organization's fulfilment of ISO 27001 requirements for certification (the condition to comply with legal requirements is applicable here):
- Control Α.5.1.1 would help cover clause 5.2 (Policy), because an organization has to have at least the Information Security Policy
- Control Α.5.1.2 would help cover clause 9.3 (Management Review), because if not in any other occasion, policies should be reviewed at the management review
- Control Α.6.1.1 would help cover clause 5.3 (Organizational roles, responsibilities and authorities)
- Control Α.12.1.2 would help cover clauses 7.5.3 c) (control of documented information) and 10.1 e) (Nonconformity and corrective action)
- Control Α.18.1.1 would help cover clause 4.2 (Understanding the needs and expectations of interested parties)
In my view, only control Α.18.1.2 – Intellectual property rights does not have an explicit link with standard's clauses (they do not mention intellectual property rights or use of proprietary software products), but it is unlikely that an organization can operate without not considering them (an organization should at least consider its own intellectual property and proprietary software).