Expert Advice Community

Guest

How to select appropriate controls from Annex A

  Quote
Guest
Guest user Created:   Jan 12, 2016 Last commented:   Jan 12, 2016

How to select appropriate controls from Annex A

It's tricky to fill-out Risk Treatment - how to remember all 133 controls and select the appropriate?
0 0

Assign topic to the user

ISO 27001 RISK ASSESSMENT AND TREATMENT REPORT

Document the results of the risk management process.

ISO 27001 RISK ASSESSMENT AND TREATMENT REPORT

Document the results of the risk management process.

Guest
DejanK Jan 12, 2016

Answer: You cannot possibly remember all the controls, but it would be helpful if you would remember which sections from the Annex A exist - e.g. IT operations, Incident management, Business continuity, Compliance, etc. This way when you have a risk, it is easier for you to search for an appropriate control.

The other thing is not to go too far - in most cases it will be enough to select 2 or 3 most appropriate controls; you can select more controls only if you have a really large risk.

By the way, old 2005 revision of ISO 27001 had 133 controls; new ISO 27001:2013 has 114 controls.

Quote
0 0
Guest
Guest post Jan 12, 2016

As per my understanding of 27001. Officially none of the 133 (or 114) controls are mandatory. Whichever we can justify in SOA as not applicable can be exempted. So, hypothetically speaking, if an organization CAN justify all of the 133 (or 114) controls as not applicable. Can it still be ISO 27001 compliant?

Quote
0 0
Guest
DejanK Jan 12, 2016

No, such a company wouldn't be compliant with ISO 27001 because the purpose of the ISMS is to preserve the confidentiality, integrity and availability of the information in its scope (clause 0.1 of ISO 27001:2013).

Since no controls would be applied, this means that C-I-A wouldn't be preserved.

Quote
0 0
Guest
Guest post Jan 12, 2016

Dear Dejan
Thank you for your valuable reply.
As per my question was a hypothetical scenario where SOA have valid justifications to exclude all the controls. Don't jump to the conclusion that C-I-A won't be preserved. I know this is a very impractical question and you will not want to waste your time on this. but just to humor me please answer for the scenario only. I'm kind of starting from the scratch and want to have a foolproof understanding.

Thanks in advance.

Quote
0 0
Guest
DejanK Jan 12, 2016

I'm sorry, but I have to conclude that in order to preserve the C-I-A you need to apply certain controls. The information cannot be protected without controls, so if there are no controls applied, the preservation of C-I-A won't be possible.

Quote
0 0
Guest
Guest post Jan 12, 2016

Dear Dejan
Thanks for your insight. I understand how stupid my question must have sounded.
Thank you very much for taking time to answer it.

Quote
0 0
Guest
DejanK Jan 12, 2016

Don't worry, there are no stupid questions. Actually, I receive this question quite often, but this is the first time to answer it through this forum.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 12, 2016

Suggested Topics

Monica Created:   Mar 27, 2023 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 Vs NIST

Guest user Created:   Feb 17, 2022 ISO 27001 & 22301
Replies: 3
0 0

Conformio risk register