IT controls in non-IT departments
Assign topic to the user
Answer:
ISO 27001 is not an IT standard - only ca 50% of the controls are IT related, which means that non-IT departments can implement many controls as well - e.g. classification of the information, access control, physical security, etc. After you perform the risk assessment for your department, you will know exactly which controls to implement.
These articles will help you:
- Information security or IT security? https://advisera.com/27001academy/blog/2010/03/01/information-security-or-it-security/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Regarding the risk assessment of contractors and subcontractors, first you have to assess which incidents can happen, and then ask the contractors through the contract to resolve those risks - this article will give you the guidelines: 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
This free ISO 27001 Foundations Online Course will also help you: https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Feb 01, 2016