ISO27001 Implementation
Good day
I trust this email finds you well.
I have a question; I wonder if I may ask. I understand preferably your services is in fact your income, so I don’t want to seem as though I am taking advantage.
We are a software development house, planning on implementing ISO27001. I am going through the webinars and also the Foundations Course.
May I ask, the controls start at 5 (5.1) – is this because this is where the 27001 family starts? We just want to be sure not to miss Controls. If there are 114 (in 40 sections) Controls, I take it not all of them fall under ISO27001 – that is why not all 114 are listed?
Assign topic to the user
ISO 27001 consists of two parts:
1 - the main part of the standard, from clauses 0 to 10, out of which clauses 4 to 10 are mandatory. These clauses defined what an Information Security Management System (ISMS) needs to perform, document, record, and deliver.
2 - Annex A, which has 14 sections - it starts from A.5 to A.18. These sections contain the 114 controls, which defines information security requirements and controls objectives
ISO 27001 Annex A is based on British Standard BS 7799-1 (Information technology - Code of practice for information security management ), which had the following structure:
Foreword
0 introduction
1 scope
2 terms and definitions
3 structure of this standard
4 risk assessment and treatment
5 security policy
6 organization of information security
7 asset management
8 human resources security
9 physical and environmental security
10 communications and operations management
11 access control
12 information systems acquisition, development and maintenance
13 information security incident management
14 business continuity management
15 compliance
Bibliography
Index
So, when this content was incorporated to ISO 27001 Annex A, version 2005, to facilitate the transition for those who used the BS standard, the names and section numbers from sections 5 to 15 of the old BS 7799-1 were kept, only including the "A." to indicate they are part of the ISO 27001 Annex. When ISO 27001 was updated to version 2013 this sequence was maintained.
Here you can see a further explanation:
- A list of sections in Annex A: https://advisera.com/27001academy/iso-27001-controls/
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
This whitepaper also can help you:
- Clause-by-clause explanation of ISO 27001 (PDF) https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001
Comment as guest or Sign in
Sep 15, 2021