Expert Advice Community

Guest

Implementation of ISO controls

  Quote
Guest
Guest user Created:   Mar 09, 2021 Last commented:   Mar 09, 2021

Implementation of ISO controls

After reviewing what we’ve done so far for the ISO27001 implementation, there has been a bit uncertainty about the implementation of ISO controls.

Before starting with ISO27001 we already did a lot of things as secure as possible.

This has been resulting in not a lot of risks in our risk assessment and not many controls stated applicable in the Statement of Applicability.

I read on various articles that the SoA should probably have 80 – 90% of the controls stated applicable, whereas we only have a handful at most.

My question is whether we’re doing this right or might be misinterpreting something. Or perhaps our approach has been inadequate.

So far we’ve identified a few risks, decided which controls we should implement, and implemented those with help from the toolkit and videos. Hopefully you could give us a new perspective and help us find hidden risks.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 09, 2021

Please note that hidden risks can be related to:

  • not considering, in the risk assessment, risks related to already implemented controls (such risks in general already have low values and are not considered for further treatment but need to be identified in the risk assessment).
  • not involving all relevant personnel in the risk assessment (e.g., department manager, process owner, key user, etc.).
  • people involved do not have proper training on how to perform the risk assessment.

Additionally, note that controls also can be related to legal requirements (laws, regulations, and contracts), and may need to be implemented even if there are no relevant risks.

If after considering these items you still find not enough controls related to risks or requirements, please note that typically smaller companies find 90 to 110 controls as applicable, whereas larger companies 105 or more, and some of these controls are marked as applicable only because organizations felt this was a logical decision (e.g., backup or passwords), and your organization can do the same. 

These materials will also help you regarding risk assessment:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 09, 2021

Mar 09, 2021

Suggested Topics