Expert Advice Community

Home / ISO 27001 & 22301 / Selection of controls

Guest

Selection of controls

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Jun 13, 2018 Last commented:   Jun 13, 2018

Selection of controls

ISO 27001 & 22301
We have done the risk assessment and I am working on the Statement of Applicability. We want to include EU DGPR in our company, but I am a bit insecure in how we shall do this in the most effective way.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Rhand Leal Jun 13, 2018

We are doing third-party inspections of vessels and in our report format we are taking pictures of the seaman’s certificates and include those in the report we are making.

The certificates contain personal information such as; Name, DOB, certificate number and picture of seaman. We are issuing the final report to the client normally the vessel owner or the vessel owner client e.g. oil company.

We are storing the information in our data base and use the information to verify the skills of the seaman.

My question to you is do we need to implement all the controls identified in the statement of applicability that I have identified under EU DGPR see column “Justification for selection” in the attachment or is it sufficient to implement the controls that we have identified in Appendix 1 Risk Treatment Table?

Answer: To be complaint wi th ISO 27001, controls from Annex A must be implemented if at least one of the following occurs:
- There are unacceptable risks that justify the application of the control
- There are legal requirements (e.g., laws or contract clauses) to which the organization must to comply with
- There is a Top Management decision to implement the controls, by considering then as good practices.

Considering that, you must implement controls not only to treat unacceptable risks identified in the risk assessment, but also controls that can fulfill requirements of the EU GDPR.

This article will provide you further explanation about controls selection:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

These materials will also help you regarding controls selection:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 13, 2018

Jun 13, 2018

Suggested Topics
Guest user Created:   Apr 06, 2023 ISO 27001 & 22301
Replies: 1
0 0

Risk Treatment - Selection Of Controls
Guest user Created:   May 13, 2020 ISO 27001 & 22301
Replies: 1
0 0

SoA and selection of controls
Guest user Created:   Jul 20, 2020 ISO 27001 & 22301
Replies: 1
0 0

Questions about ISO 27001 implementation