How ISO 27001 differentiates and classifies between security functional and non-functional requirements?
I am browsing through your website for the ISO 27001 controls and was wondering if you could explain to me how ISO 27001 differentiates and classsifies between security functional and non-functional requirements?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 does not make such differentiation between controls from its Annex A, but considering that functional requirements define what a system does or must not do, and non-functional requirements specify how a system should do it, then it is possible to differentiate and classify controls. For example:
- examples of functional security controls: A.9.1.1 Access control policy, and A.10.1.2 Key management (if these controls are not properly implemented security does not work)
- examples of non-functional security controls: A.12.1.3 Capacity management, and A.12.4.1 Event logging (if these controls are not properly implemented security performance is affected)
For further information, see:
- A quick guide to ISO 27001 controls from Annex A https://advisera.com/27001academy/iso-27001-controls/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
Comment as guest or Sign in
Sep 23, 2020