Expert Advice Community

Guest

Questions related to Controls

  Quote
Guest
Guest user Created:   Jan 29, 2021 Last commented:   Jan 29, 2021

Questions related to Controls

1. When doing the Access Control policy we found ourselves relatively short of content in the policy document (this has not appeared to be the case in all policies we’ve worked through). Are you able to give us any guidance on where we could find resources with more prescriptive control examples, than are found in the ISO 27002 standard? The challenge we seem to have is the policies are not all encompassing in terms of coverage of the controls, and when we turn to the controls in the standard, the controls appear quite vague in some cases. Is there somewhere a next level down of control examples? Any comments / insights you can offer around this would be appreciated.

2. Is there anything at all stopping us from incorporating the controls found in CSA CCM into our documentation suite? Many map to ISO controls, but in some cases appear to be more specific.

If we were doing this, do you have any suggestions or comments we should keep in mind when approaching this?

 

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jan 29, 2021

1. When doing the Access Control policy we found ourselves relatively short of content in the policy document (this has not appeared to be the case in all policies we’ve worked through). Are you able to give us any guidance on where we could find resources with more prescriptive control examples, than are found in the ISO 27002 standard? The challenge we seem to have is the policies are not all encompassing in terms of coverage of the controls, and when we turn to the controls in the standard, the controls appear quite vague in some cases. Is there somewhere a next level down of control examples? Any comments / insights you can offer around this would be appreciated.

For more prescriptive examples you can use to customize your Access Control Policy, I suggest you consult the NIST SP 800-53 document.  

For further information, see:

2. Is there anything at all stopping us from incorporating the controls found in CSA CCM into our documentation suite? Many map to ISO controls, but in some cases appear to be more specific.

If we were doing this, do you have any suggestions or comments we should keep in mind when approaching this?

ISO 27001 does not limit applicable controls to those listed on Annex A, so organizations can develop their own controls, or use controls from other sources, so you incorporate controls from CSA CCM into your documents.

As a recommendation for using this approach, you must remember to include a reference to controls external to Annex A into your Statement of Applicability. This can be done either by including a new control in the SoA list (if the new controls cannot be mapped to controls from Annex A), or by including a comment in the implementation method column referring to the mapped control.

These articles will provide you a further explanation about developing documents:

This material will also help you regarding security controls:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 29, 2021

Jan 29, 2021

Suggested Topics