Guest
Referencing to security controls in policies and procedures
At the the start of the document ‘Beleid voor aanvaardbaar gebruik’ (acceptable use of information & means) you reference a number of control objectives from Annex A. These are referenced in an un-specific manner, without being specific about the way these are documented in this ‘Beleid’ or implemented individually.Does this not defeat the specific connection between risks and mitigating security measures, or are you of the opinion that that aspect (iso27k 6.2) is covered sufficiently in the ’risk treatment plan’.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Expert
Dejan Kosutic
Jan 18, 2016
Answer:
It is true that we did not reference to particular controls within the text of each security rule, because this is not required by ISO 27001 - sometimes one security rule covers several controls, and sometimes the same control is covered within several security rules, so referencing to the particular control in the text of each security rule would be rather difficult.
Comment as guest or Sign in
Jan 18, 2016
Jan 18, 2016
Jan 18, 2016