Get 4 FREE months of Conformio to implement ISO 27001

Expert Advice Community

Guest

Inquiry

  Quote
Guest
Guest user Created:   Jan 17, 2023 Last commented:   Jan 17, 2023

Inquiry

I have two statements I have come across in information security that are kind of confusing me.

High level controls and Low level controls. I have noticed you rarely use them in your trainings or blogs but I need to understand what are they and how they apply to annex-a of ISO 27001. 

With some examples, kindly advise how the hierarchy of Annex A controls, and if it's really necessary to have a hierarchy.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jan 17, 2023

ISO 27001 does not prescribe controls hierarchy to be implemented, so large majority of companies do not differentiate between high and low level controls. We also do not recommend this approach because it only creates an overhead.

Although ISO 27001 does not specify this, you could apply "high-level" and "low-level" concept to policies - the top-level Information Security Policy could be considered as a "high-level" policy because it defines security rules for a whole company, whereas a "low-level" policy could be Backup policy because it defines security rules for only one part of the company.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 17, 2023

Jan 17, 2023