Mapping of requirements categories to ISO 27001 controls
Assign topic to the user
1) There may be a requirement for some controls for the HR department. We would then choose something like ‘Human Resources Security’ from the dropdown list for the Area field, right?
But my point is that there is no option for Human Resources Security available from the dropdown list for the Area field.
So my initial question some time ago was, why is Human Resources not listed as an area? Is this an omission (a bug) or has this been left out deliberately? And if so, why is this left out when all other control categories are available from the area drop down list.
Answer: The absence of a Human Resources Security area is a design decision because HR security controls are related to the following areas:
Managing security with suppliers and partners: A.7.1.1, A.7.1.2, A.7.2.2
Confidentiality obligations and non-disclosure agreements: A.7.1.2, A.7.3.1
Handling security events, incidents, and data breaches: A.7.2.3
Control A.7.2.1 is related to the Information Security Policy
But you are right, we will add the HR area to make the Register more user friendly.
2) I understand the reasoning behind mandatory safeguards, but my question about that was where do these requirements show up in the SoA? Or do they need to be added to the SoA manually?
I do believe that the combination of allowing the selection of an area together with the ability to specify individual controls would be taking the best of both worlds. I have made this suggestion to Aleksandra as art of request 63693.
Answer: When a requirement area is chosen in the Register of requirements, the related controls will be displayed automatically in the Statement of Applicability. There is no need for manual addition.
In case of need, i.e., when you need to related a control to a specific requirement not automatically defined, you can edit the specific justification in the SoA and make the inclusion manually.
Comment as guest or Sign in
Jul 08, 2022