Expert Advice Community

Guest

Controls applicability

  Quote
Guest
Guest user Created:   Jul 06, 2017 Last commented:   Jul 06, 2017

Controls applicability

I am working in an ISMS-implementation project in a company where the whole IT operations are outsourced to an IT- Company within the same group. Everything related to IT is ordered as a Service, no assets owned (Hardware, applications, Service desk etc.) This Service Provider is also implementing an ISMS. Can we declare the controls e.g. from A.12 as "not applicable" because These conrols are all within the responsility of the Provider? (my opinion.) Or shall we declare them "applicable" and refer to the ISMS of the Provider (opinion of internal Audit)?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 06, 2017

P.S. we did a risk assessment for the IT-Services delivered and Chose the controls from A.15 for rist mitigation.

Answer: Even if your organization's IT operations are outsourced, some controls from section A.12 might still be applicable to it, like A.12.1.2 (change management), A.12.1.3 (Capacity Management) , and A.12.7.1 (Information systems audit controls), so you have to perform an evaluation first to verify this situation before consider all controls as "not applicable". For those t hat are totally under the provider control you can state them as "not applicable", providing as justification the IT operation is outsourced.

Regarding stating a control as "applicable" referring it to the ISMS of another organization, you cannot do that because you do not have control over provider's ISMS (at most you are an interested party - customer - that is considered in that ISMS context). For situations like that you can state controls from section A.15 as "applicable" to your ISMS, to ensure that the provider will take as much care of IT security as if you were performing the IT operations yourself. For example, if in your IT operations you would use backup practices, you have to ensure the service agreement also define that the provider also has I to use backup practices.

This article will provide you further explanation about suppliers and controls applicability:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

These materials will also help you regarding supplies and controls applicability:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://training.advisera.com/course/iso-27001-foundations-course/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 06, 2017

Jul 06, 2017

Suggested Topics

Guest user Created:   Jun 06, 2018 ISO 27001 & 22301
Replies: 1
0 0

Controls applicability

Guest user Created:   Oct 17, 2017 ISO 27001 & 22301
Replies: 1
0 0

Controls applicability

Guest user Created:   Aug 11, 2020 ISO 27001 & 22301
Replies: 1
0 0

Statement of Applicability