Implementation of iso 27001 controls
Hola bt soy analista de riesgos hace 3 años y estuve realizando un análisis gap de la iso 27001 de los 114 controles, ahora tengo como resultado un porcentaje global que no me indica por donde debo comenzar a implementar controles indico que no es para certificación sino como proceso de gestión de riesgos, quisiera saber si hay controles mas importantes que otros, a lo mejor me comentará que de acuerdo a los que le apliquen a la empresa, pero le aplican todos, le comento que la revisión la hice a nivel detalle y tengo un porcentaje de cumplimiento por control yo iniciaría por los que quedaron mas bajos en porcentaje pero quiero saber si hay un orden de reelevancia a este caso o por buenas prácticas me pueda comentar algo. De antemano agradezco su ayuda.
(Hello, I am a risk analyst for 3 years and I was carrying out a gap analysis of iso 27001 of the 114 controls, now I have as a result a global percentage that does not indicate where I should start to implement controls, I indicate that it is not for certification but as risk management process, I would like to know if there are more important controls than others, maybe you will tell me that according to those that apply to the company, but they all apply to it, I told you that the review was done in detail and I have a percentage of compliance by control I would start with those who were lower in percentage but I want to know if there is an order of re-relevance to this case or for good practices can you tell me something. I appreciate your help in advance.)
Assign topic to the user
Since you already identified all controls that are applicable and the percentage by which they are already implemented, my suggestion for additional criteria to prioritize implementation are:
- controls which affects the highest risks (in fact this should be your first criteria)
- which controls will have a more positive impact after implementation
- which controls require less effort to be implemented
Regarding starting with those who are lower in percentage, please note that a common risk in implementation projects is that a long period without results can decrease interest in the project by its supporters, so you should balance the implementation of controls which treat the highest risks with those that deliver the quickest results (i.e., implemented and measured controls as fast as you can).
These articles will provide you a further explanation about common controls:
- The most common physical and network controls when implementing ISO 27001 in a data center https://advisera.com/27001academy/blog/2019/02/26/the-most-common-physical-and-network-controls-when-implementing-iso-27001-in-a-data-center/
- How to apply information security controls in teleworking according to ISO 27001 https://advisera.com/27001academy/blog/2021/10/27/how-to-use-iso-27001-to-secure-data-when-working-remotely/
These materials will also help you regarding controls implementation:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
- ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
May 13, 2020