Questions related to Controls
1. When doing the Access Control policy we found ourselves relatively short of content in the policy document (this has not appeared to be the case in all policies we’ve worked through). Are you able to give us any guidance on where we could find resources with more prescriptive control examples, than are found in the ISO 27002 standard? The challenge we seem to have is the policies are not all encompassing in terms of coverage of the controls, and when we turn to the controls in the standard, the controls appear quite vague in some cases. Is there somewhere a next level down of control examples? Any comments / insights you can offer around this would be appreciated.
2. Is there anything at all stopping us from incorporating the controls found in CSA CCM into our documentation suite? Many map to ISO controls, but in some cases appear to be more specific.
If we were doing this, do you have any suggestions or comments we should keep in mind when approaching this?
Assign topic to the user
1. When doing the Access Control policy we found ourselves relatively short of content in the policy document (this has not appeared to be the case in all policies we’ve worked through). Are you able to give us any guidance on where we could find resources with more prescriptive control examples, than are found in the ISO 27002 standard? The challenge we seem to have is the policies are not all encompassing in terms of coverage of the controls, and when we turn to the controls in the standard, the controls appear quite vague in some cases. Is there somewhere a next level down of control examples? Any comments / insights you can offer around this would be appreciated.
For more prescriptive examples you can use to customize your Access Control Policy, I suggest you consult the NIST SP 800-53 document.
For further information, see:
- How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/
- How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/
2. Is there anything at all stopping us from incorporating the controls found in CSA CCM into our documentation suite? Many map to ISO controls, but in some cases appear to be more specific.
If we were doing this, do you have any suggestions or comments we should keep in mind when approaching this?
ISO 27001 does not limit applicable controls to those listed on Annex A, so organizations can develop their own controls, or use controls from other sources, so you incorporate controls from CSA CCM into your documents.
As a recommendation for using this approach, you must remember to include a reference to controls external to Annex A into your Statement of Applicability. This can be done either by including a new control in the SoA list (if the new controls cannot be mapped to controls from Annex A), or by including a comment in the implementation method column referring to the mapped control.
These articles will provide you a further explanation about developing documents:
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
This material will also help you regarding security controls:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Comment as guest or Sign in
Jan 29, 2021