Controls selection

Another concern is CIS20 does not have (HR and physical security), whereas 27002 does. The proposed scope of XXXXXX ISMS will not include (HR and physical security), it would include only relevant CIS20 controls. (I understand I ca n add others, but due to scope do not want to add). So my question is … Can XXXXXX have a certified 27001 ISMS using CIS20 controls only?

Answer:

First it is important to note that all controls from ISO 27001 Annex (those controls are the same as the ones in ISO 27002) must be considered during an ISMS implementation complaint with ISO 27001. For all controls from Annex A you have to identify if they are applicable or not, and justify why they are applicable or not.

Second thing is, most of CIS 20 controls can be related to ISO 27001 Annex A controls (e.g., CIS control “Inventory and Control of Hardware Assets” can be related to ISO 27001 controls “A.8.1.1 Inventory of assets” and “A.8.1.2 Ownership of assets”), so in a sense when you implement CIS 20 controls you are considering particular controls from Annex A as applicable.

However you will need to list all the ISO 27001 controls that are not covered by CIS 20 and decide whether they are applicable or not.

This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

This material will also help you regarding ISO 27001:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/