Save 50% on the EU GDPR toolkit with a one-year
Conformio Professional subscription
LIMITED-TIME OFFER – ENDS JANUARY 26, 2023

Expert Advice Community

Guest

Questions related to ISO 27001 Controls

  Quote
Guest
Guest user Created:   Sep 13, 2022 Last commented:   Sep 13, 2022

Questions related to ISO 27001 Controls

I am curious to know about the coverage of all controls during the external audit. To one of my question, you said that only the controls which are applicable can be considered.

So, my next question is I am working for an IT Software company and Can I skip any or all the following controls:

A 6.2 Mobile devices and teleworking
A 7: Human resources security
A 8: Asset Management
A9 : Access control
A 10 : Cryptography
A 11. Physical and environment security
Please advise. I would like to know:

a. What are the criteria for selecting a control?

b. What all are the mandatory controls (a must control) which the external auditor would like to see for certifying the company?

My understanding is that all the controls are applicable to all the industries, companies etc.  Hence the question.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 13, 2022

Please note that the controls you mentioned, as well as all controls from ISO 27001 Annex A, are applicable only in the following cases:

  • There are relevant risks that demand the implementation of controls
  • There are legal requirements (e.g., laws, regulations, or contracts) that demand the implementation of controls
  • There is a management decision to implement controls (e.g., by considering them a good practice)

Considering that, according to ISO 27001, if none of the above conditions occurs, you do not need to implement a control.

Regarding selection control criteria, a control must be selected considering its capability to reduce the likelihood and/or impact of a risk so the risk value decreases to an acceptable level.

Regarding “mandatory controls” there is no such thing prescribed by the standard. During the audit, the certification auditor will look to see if the stated applicable controls make sense considering the results of the risk assessment and applicable legal requirements.  

 

These articles will provide you with further explanation about risk management:

This material will also help you regarding risk management:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 13, 2022

Sep 13, 2022

Suggested Topics