Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

Document 14.1

  Quote
Guest
Guest user Created:   Aug 09, 2021 Last commented:   Aug 09, 2021

Document 14.1

Can you explain how document 14.1 should be filled out? I understand that there's some relationship to the risks listed in document 5.1, but I'm not sure which assets are required to be listed in document 14.1.


To be more specific, we're running a SAAS company with at least these three types of information systems:
Software used in internal development.
The software that we develop. Note that the version of this software changes as we're developing it.
The software that runs in the production environment.

I'm not sure which ones of these should be listed in 14.1.

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Aug 09, 2021

I’m assuming you are referring to Appendix 1 – Specification of Information System Requirements.

Considering that, you should create this record for each software listed in your Risk Treatment Table for which you have identified risks that need to be treated by control A.14.1.1 (Information security requirements analysis and specification). Please note that these records can be created either for each individual software or as a single record for a set of software which share the same security requirements.

Considering the software under development, you need to create a record for each new version (this will help you track the changes and evolution in security requirements)

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 09, 2021

Aug 09, 2021

Suggested Topics