Expert Advice Community

Guest

Difference between controls

  Quote
Guest
Guest user Created:   Apr 09, 2021 Last commented:   Apr 09, 2021

Difference between controls

I do not understand is the difference between controls to be assigned based on risk assessment (and risk treatment) and controls to be implemented based on Information security policy.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 09, 2021

Please note that ISO 27001 requirements for the Information Security Policy (clause 5.2) do not prescribe that controls need to be implemented based on the Information Security Policy. The purpose of the Information Security Policy is to set the organization’s high-level expectations for information security (e.g., information security objectives, fulfillment of legal requirements, commitment, etc.).

The definition of controls to be implemented is prescribed by clause 6.1.3 “b” (information security risk treatment).

This article will provide you a further explanation about the selection of controls:

These materials will also help you regarding selection of controls:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 09, 2021

Apr 09, 2021

Suggested Topics

ralphkapunkt Created:   Mar 02, 2018 ISO 27001 & 22301
Replies: 1
0 0

ISMS: Controls and measures

Guest user Created:   Dec 15, 2022 ISO 27001 & 22301
Replies: 1
0 0

27001:2022 Query