Difference between controls
I do not understand is the difference between controls to be assigned based on risk assessment (and risk treatment) and controls to be implemented based on Information security policy.
Assign topic to the user
Please note that ISO 27001 requirements for the Information Security Policy (clause 5.2) do not prescribe that controls need to be implemented based on the Information Security Policy. The purpose of the Information Security Policy is to set the organization’s high-level expectations for information security (e.g., information security objectives, fulfillment of legal requirements, commitment, etc.).
The definition of controls to be implemented is prescribed by clause 6.1.3 “b” (information security risk treatment).
This article will provide you a further explanation about the selection of controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding selection of controls:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Apr 09, 2021