Measures Appendix A
1 - we are in possession of your toolkit for ISO 27001 and are in point 6 (declaration of applicability). The 114 specified measures are to be checked for applicability. For us, however, the question arises as to whether all measures really have to be applied, since theoretically quite a few of them could be used or whether only suitable measures have to be defined for the risks that we have assessed with risk levels 3 and 4 (unacceptable risks).
2 - In addition, we would like to know whether there are any legal regulations in Germany to which we must pay special attention in the course of the introduction of Iso 27001.
Assign topic to the user
1 - we are in possession of your toolkit for ISO 27001 and are in point 6 (declaration of applicability). The 114 specified measures are to be checked for applicability. For us, however, the question arises as to whether all measures really have to be applied, since theoretically quite a few of them could be used or whether only suitable measures have to be defined for the risks that we have assessed with risk levels 3 and 4 (unacceptable risks).
Please note that you only have to state as applicable in the Statement of Applicability the controls you defined as needed to treat the risks you identified as unacceptable (according to your Risk Treatment Table), and those required by legal requirements. For the other controls, you can state that they are not applicable because there are no risks or legal requirements demanding their implementation.
By the way, included in your toolkit you have access to a video tutorial that can help you fill in the Statement of Applicability.
For further information, see:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
2 - In addition, we would like to know whether there are any legal regulations in Germany to which we must pay special attention in the course of the introduction of Iso 27001.
We are not legal experts, so our recommended approach is indeed for organizations to hire local expert advice to identify legal requirements that must be fulfilled to be compliant with the ISO 27001 in required countries. An online search can help at the beginning of your work (for an overview), but local expert advice is highly recommended.
This article can provide a start: https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
But please note that the list in this article is not fully up-to-date because it depends on voluntary contributions from our readers – therefore, it is likely that not all regulations for each country are listed (some even may have been withdrawn).
This article will provide you a further explanation about the identification of requirements:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
Comment as guest or Sign in
Feb 03, 2021