Questions related to ISO 27001 Controls
I am curious to know about the coverage of all controls during the external audit. To one of my question, you said that only the controls which are applicable can be considered.
So, my next question is I am working for an IT Software company and Can I skip any or all the following controls:
A 6.2 Mobile devices and teleworking
A 7: Human resources security
A 8: Asset Management
A9 : Access control
A 10 : Cryptography
A 11. Physical and environment security
Please advise. I would like to know:
a. What are the criteria for selecting a control?
b. What all are the mandatory controls (a must control) which the external auditor would like to see for certifying the company?
My understanding is that all the controls are applicable to all the industries, companies etc. Hence the question.
Assign topic to the user
Please note that the controls you mentioned, as well as all controls from ISO 27001 Annex A, are applicable only in the following cases:
- There are relevant risks that demand the implementation of controls
- There are legal requirements (e.g., laws, regulations, or contracts) that demand the implementation of controls
- There is a management decision to implement controls (e.g., by considering them a good practice)
Considering that, according to ISO 27001, if none of the above conditions occurs, you do not need to implement a control.
Regarding selection control criteria, a control must be selected considering its capability to reduce the likelihood and/or impact of a risk so the risk value decreases to an acceptable level.
Regarding “mandatory controls” there is no such thing prescribed by the standard. During the audit, the certification auditor will look to see if the stated applicable controls make sense considering the results of the risk assessment and applicable legal requirements.
These articles will provide you with further explanation about risk management:
- 6 main steps in risk management https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/
- Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
- Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
This material will also help you regarding risk management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/
Comment as guest or Sign in
Sep 13, 2022