Energy Management
We are an energy utility company and are seeking to implement ISO 27001:2022 throughout our business units. We also came across ISO 27019:2020 and there some additional controls specifically for energy utility company. Do we need to add these controls in our SOA? If so, how will we insert it? Thank you!
Assign topic to the user
Unless you have specific legal requirements (e.g., laws, regulations, or contracts) demanding implementation of ISO 27019 controls, you do not need to include them in the ISMS implementation.
Please note that ISO 27001 controls are comprehensive enough to be applied to any industry, and ISO 27019 only provides specific implementation guidance and controls for the energy utility industry.
In case you need to include ISO 27019 in your implementation, based on the results of risk assessment and applicable legal requirements, you include relevant additional recommendations to existent controls they refer to (e.g., in case there are specific recommendations for control A.9.1.1 – Access control policy, you included these specific recommendations in the way you implement it), or you include a new control specific of the standard (e.g., control 12.9.1 – Integrity and availability of safety functions).
Comment as guest or Sign in
Mar 15, 2023