Expert Advice Community

Guest

Implementing controls

  Quote
Guest
Guest user Created:   Oct 12, 2021 Last commented:   Oct 14, 2021

Implementing controls

Another question please, in implementing an ISMS to ISO 27001 standards, should all the controls in a particular policy be implemented? E.G. A12.1.1, Controls against Malware in the implementation guidance in ISO 27002, has 12 controls. Should all 12 controls be implemented in order to meet the requirements of the standard?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 12, 2021

I’m assuming you are referring to control A.12.2.1 (Controls against malware).

Regarding ISO 27002, the elements described are recommendations, not controls. 

In other words, what is written in ISO 27002 is not mandatory for the implementation.

ISO 27001 does not prescribe how to implement controls, and you only need to implement the recommendations from ISO 27002 for which you have identified relevant risks or applicable legal requirements, i.e., in case control A.12.2.1 is applicable for you, depending on the results of risk assessment and identified legal requirements, you may need to implement only one or all twelve recommendations defined for this control.

This article will provide you a further explanation about handling malware:
- How can ISO 27001 help protect your company against ransomware? https://advisera.com/27001academy/blog/2016/11/14/how-can-iso-27001-help-protect-your-company-against-ransomware/

 

Quote
0 0
Guest
Guest user Oct 12, 2021

Should all controls in ISO 27001 be made into policies? e.g. A7 Human Resource Security, are the controls A7.1.1 Screening, A7.1.2 Terms and Conditions of employment etc. Should policies be created out of all these controls?

Quote
0 0
Expert
Rhand Leal Oct 14, 2021

First is important to note that only controls deemed applicable due to results of risk assessment and applicable legal requirements need to be implemented. So, depending on the organizational context, not all controls from ISO 27001 Annex A may need to be implemented.

For those controls deemed applicable, not all of them may need to be included in policies or procedures.

These articles will provide you a further explanation about documenting controls:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 12, 2021

Oct 13, 2021