Guest post Created: Jan 12, 2016 Last commented: Jan 12, 2016

Not implementing 8.2

Classification of Information)Is it possible to accept the risk that comes with not implementing 8.2 and still certify for ISO 27001? Background info: 'Shared Service' organisation that offers IT/Human Resources/ Facility Management to other organisations. There are no legal/contractual obligations known for labeling/classifying info.

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 12, 2016

Theoretically, it is possible to accept any kind of risk.

By the way, the risks are accepted (or not accepted) by only analyzing the risks, not by analyzing associated controls. Usually, the risks that would require classification are related to confidential information.

If you handle some confidential information from your clients, usually the risk is that people handling those information won't know the rules for protecting such confidential information. Therefore, in such cases classification and associated rules for protection are the best way to resolve such risk - so in most cases controls from A.8.2 are found applicable.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community