1. When doing the Access Control policy we found ourselves relatively short of content in the policy document (this has not appeared to be the case in all policies we’ve worked through). Are you able to give us any guidance on where we could find resources with more prescriptive control examples, than are found in the ISO 27002 standard? The challenge we seem to have is the policies are not all encompassing in terms of coverage of the controls, and when we turn to the controls in the standard, the controls appear quite vague in some cases. Is there somewhere a next level down of control examples? Any comments / insights you can offer around this would be appreciated.
2. Is there anything at all stopping us from incorporating the controls found in CSA CCM into our documentation suite? Many map to ISO controls, but in some cases appear to be more specific.
If we were doing this, do you have any suggestions or comments we should keep in mind when approaching this?