ISO 27001 Risk Management
Assign topic to the user
The problem is: is it necessary to be a clear link between a particular risk and a particular Annex A control? I mean; each Annex A control (if we choose to implement it) can be tracked down to a particular risk? And if its the case, then what kind of risks lead us to controls such as A.5.1.1, A.5.1.2?
Answer:
Yes, it is necessary to link particular risks with controls from Annex A because you have to show this relationship in the Statement of Applicability (clause 6.1.3 d) - you have to provide justification for inclusions of particular controls.
Regarding A.5.1.1 (Policies for information security) - basically you can select this control for any risk that is related to organizational issues; A.5.1.2 (Review of the policies for information security) - you can select this control whenever you have a risk related to documentation that is not updated.
Comment as guest or Sign in
Jan 12, 2016