Expert Advice Community

Guest

Mapping of requirements categories to ISO 27001 controls

  Quote
Guest
Guest user Created:   Jul 08, 2022 Last commented:   Jul 08, 2022

Mapping of requirements categories to ISO 27001 controls

Hi Dejan, Thanks for your reply and I understand what you are saying in the bullet points. However, I do believe my questions are still not fully understood. 1)      There may be a requirement for some controls for the HR department. We would then choose something like ‘Human Resources Security’ from the drop down list for the Area field, right? But my point is that there is no option for Human Resources Security available from the drop down list for the Area field. So my initial question some time ago was, why is Human Resources not listed as an area? Is this an omission (a bug) or has this been left out deliberately? And if so, why is this left out when all other control categories are available from the area drop down list. 2)      I understand the reasoning behind mandatory safeguards, but my question about that was where do these requirements show up in the SoA? Or do they need to be added to the SoA manually? I do believe that the combination of allowing the selection of an area together with the ability to specify individual controls would be taking the best of both worlds. I have made this suggestion to Aleksandra as art of request 63693. I still would very much appreciate to have a few hours of detailed training in the use of Conformio (like explaining the function of every field), as there are still areas that are unclear to me, that are not documented and that are costing me a lot of time getting them answered by sending emails to support and even going back-and-forth quite a few times, like about this issue. I would appreciate if some training is available in the short term.

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 08, 2022

1) There may be a requirement for some controls for the HR department. We would then choose something like ‘Human Resources Security’ from the dropdown list for the Area field, right?

But my point is that there is no option for Human Resources Security available from the dropdown list for the Area field.

 So my initial question some time ago was, why is Human Resources not listed as an area? Is this an omission (a bug) or has this been left out deliberately? And if so, why is this left out when all other control categories are available from the area drop down list.

Answer: The absence of a Human Resources Security area is a design decision because HR security controls are related to the following areas:
Managing security with suppliers and partners: A.7.1.1, A.7.1.2, A.7.2.2

Confidentiality obligations and non-disclosure agreements: A.7.1.2, A.7.3.1

Handling security events, incidents, and data breaches: A.7.2.3

Control A.7.2.1 is related to the Information Security Policy

But you are right, we will add the HR area to make the Register more user friendly.

2) I understand the reasoning behind mandatory safeguards, but my question about that was where do these requirements show up in the SoA? Or do they need to be added to the SoA manually?

I do believe that the combination of allowing the selection of an area together with the ability to specify individual controls would be taking the best of both worlds. I have made this suggestion to Aleksandra as art of request 63693.

Answer: When a requirement area is chosen in the Register of requirements, the related controls will be displayed automatically in the Statement of Applicability. There is no need for manual addition.

In case of need, i.e., when you need to related a control to a specific requirement not automatically defined, you can edit the specific justification in the SoA and make the inclusion manually.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 08, 2022

Jul 08, 2022