How to select appropriate controls from Annex A
Assign topic to the user
Answer: You cannot possibly remember all the controls, but it would be helpful if you would remember which sections from the Annex A exist - e.g. IT operations, Incident management, Business continuity, Compliance, etc. This way when you have a risk, it is easier for you to search for an appropriate control.
The other thing is not to go too far - in most cases it will be enough to select 2 or 3 most appropriate controls; you can select more controls only if you have a really large risk.
By the way, old 2005 revision of ISO 27001 had 133 controls; new ISO 27001:2013 has 114 controls.
As per my understanding of 27001. Officially none of the 133 (or 114) controls are mandatory. Whichever we can justify in SOA as not applicable can be exempted. So, hypothetically speaking, if an organization CAN justify all of the 133 (or 114) controls as not applicable. Can it still be ISO 27001 compliant?
No, such a company wouldn't be compliant with ISO 27001 because the purpose of the ISMS is to preserve the confidentiality, integrity and availability of the information in its scope (clause 0.1 of ISO 27001:2013).
Since no controls would be applied, this means that C-I-A wouldn't be preserved.
Dear Dejan
Thank you for your valuable reply.
As per my question was a hypothetical scenario where SOA have valid justifications to exclude all the controls. Don't jump to the conclusion that C-I-A won't be preserved. I know this is a very impractical question and you will not want to waste your time on this. but just to humor me please answer for the scenario only. I'm kind of starting from the scratch and want to have a foolproof understanding.
Thanks in advance.
I'm sorry, but I have to conclude that in order to preserve the C-I-A you need to apply certain controls. The information cannot be protected without controls, so if there are no controls applied, the preservation of C-I-A won't be possible.
Dear Dejan
Thanks for your insight. I understand how stupid my question must have sounded.
Thank you very much for taking time to answer it.
Comment as guest or Sign in
Jan 12, 2016