Handling of requirements
What to do with the demands of standard that have long since been overcome. You know what I am thinking.
Assign topic to the user
ISO 27001 RISK ASSESSMENT AND TREATMENT REPORT
Document the results of the risk management process.
Get it now 
ISO 27001 RISK ASSESSMENT AND TREATMENT REPORT
Document the results of the risk management process.
Get it now
ISO 27001 RISK ASSESSMENT AND TREATMENT REPORT
Document the results of the risk management process.
Get it now
If I understood correctly, you are referring to two possible situations:
- 1. Standard's requirements do not make sense to the purpose of the standard anymore
- 2 Standard's requirements do not make sense to your organization's context
In the first case, during the standard review (which occurs approximately every 5 years) such requirements can be excluded or reformulated.
In the second case, you have to verify in the standard if the requirement is mandatory or if there is any condition for exclusion that can be applied to your organization. In the case of ISO 27001, requirements from sections 4 to 10 are mandatory (you cannot exclude any of them), and controls from Annex A can be excluded considering the results of risk assessment.
Comment as guest or Sign in
Oct 29, 2019