Expert Advice Community


ISO27001 Implementation

Guest user Created:   Sep 15, 2021 Last commented:   Sep 15, 2021

ISO27001 Implementation

Good day

I trust this email finds you well.

I have a question; I wonder if I may ask.  I understand preferably your services is in fact your income, so I don’t want to seem as though I am taking advantage.

We are a software development house, planning on implementing ISO27001.  I am going through the webinars and also the Foundations Course. 

May I ask, the controls start at 5 (5.1) – is this because this is where the 27001 family starts?  We just want to be sure not to miss Controls.  If there are 114 (in 40 sections) Controls, I take it not all of them fall under ISO27001 – that is why not all 114 are listed?

0 0

Assign topic to the user


Step-by-step implementation for smaller companies.


Step-by-step implementation for smaller companies.

Rhand Leal Sep 15, 2021

ISO 27001 consists of two parts:
1 - the main part of the standard, from clauses 0 to 10, out of which clauses 4 to 10 are mandatory. These clauses defined what an Information Security Management System (ISMS) needs to perform, document, record, and deliver.

2 - Annex A, which has 14 sections - it starts from A.5 to A.18. These sections contain the 114 controls, which defines information security requirements and controls objectives

ISO 27001 Annex A is based on British Standard BS 7799-1 (Information technology - Code of practice for information security management ), which had the following structure:

0 introduction
1 scope
2 terms and definitions
3 structure of this standard
4 risk assessment and treatment
5 security policy
6 organization of information security
7 asset management
8 human resources security
9 physical and environmental security
10 communications and operations management 
11 access control
12 information systems acquisition, development and maintenance
13 information security incident management
14 business continuity management
15 compliance

So, when this content was incorporated to ISO 27001 Annex A, version 2005, to facilitate the transition for those who used the BS standard, the names and section numbers from sections 5 to 15 of the old BS 7799-1 were kept, only including the "A." to indicate they are part of the ISO 27001 Annex. When ISO 27001 was updated to version 2013 this sequence was maintained.

Here you can see a further explanation:
- A list of sections in Annex A:
- What is ISO 27001

This whitepaper also can help you:
- Clause-by-clause explanation of ISO 27001 (PDF)

0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 15, 2021

Sep 15, 2021