Expert Advice Community

Justification for selection a control

  Quote
Nika Created:   Dec 04, 2020 Last commented:   Dec 07, 2020

Justification for selection a control

I know that generally the Justification for selection a control can be a risk, Top management solution, or legal requirement.

Can Justification also be "Best practices in IT", or "IT Management decision"? Or it must be one of the 3 mentioned above?

Thank you!

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 07, 2020

In general a “Top Management decision” is made because the management considers the control as a market best practice in the related field (i.e., best practice in IT for network control, best practice in HR for a human-related control, etc.), so your first example is acceptable (it will only make the main reason explicit), but it needs to be related to the highest position in the ISMS scope (e.g., "Best practices in IT according to Top Management").

Regarding your second example, you can use IT management only if this is the highest position in your ISMS scope (e.g., the ISMS scope is limited to the IT department or IT processes).

These articles will provide you a further explanation about risk management and SoA:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 04, 2020

Dec 07, 2020