Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

How Annex A controls relate to ISO 27001 Requirements

  Quote
Guest
Guest user Created:   Aug 26, 2021 Last commented:   Aug 30, 2021

How Annex A controls relate to ISO 27001 Requirements

Can you please explain to me how the 'ISO27001 Annex A Controls' relate or map to the 'ISO27001 Requirements'?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Aug 26, 2021

ISO 27001 Annex A Controls do not map to ISO27001 Requirements. They are used to help fulfill requirements “c” and “d” from clause 6.1.3 (Information security risk treatment), i.e., they are related to the main part of the standard primarily through the risk assessment and treatment processes.

For further information, see:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- A quick guide to ISO 27001 controls from Annex A https://advisera.com/27001academy/iso-27001-controls/

These materials will also help you regarding ISO 27001 controls from Annex A:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Free online training ISO 27001 Foundations Course http://training.advisera.com/course/iso-27001-foundations-course/

Quote
0 0
Guest
Jean-Pierre Aug 26, 2021

Thanks for this explanation. You mention 'They are used to help fulfill requirements “c” and “d” from clause 6.1.3'. What are requirements “c” and “d” and where can one see all the requirements for all the clauses?

Quote
0 0
Expert
Rhand Leal Aug 30, 2021

Requirement 6.1.3 “c” refers to a comparison between controls to be applied with those in Annex A, to ensure that no necessary controls have been omitted.

Requirement 6.1.3 “d” refers to the development of the Statement of Applicability (SoA), informing the necessary controls and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A.

The full text of these requirements can be found in the ISO 27001 standard (https://www.iso.org/standard/54534.html).
Due to Intellectual Property rights, the standard is not included in the toolkit, but you can find some explanation about the requirements in this paper:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 26, 2021

Aug 30, 2021

Suggested Topics