Selection of controls
Assign topic to the user
We are doing third-party inspections of vessels and in our report format we are taking pictures of the seaman’s certificates and include those in the report we are making.
The certificates contain personal information such as; Name, DOB, certificate number and picture of seaman. We are issuing the final report to the client normally the vessel owner or the vessel owner client e.g. oil company.
We are storing the information in our data base and use the information to verify the skills of the seaman.
My question to you is do we need to implement all the controls identified in the statement of applicability that I have identified under EU DGPR see column “Justification for selection” in the attachment or is it sufficient to implement the controls that we have identified in Appendix 1 Risk Treatment Table?
Answer: To be complaint wi th ISO 27001, controls from Annex A must be implemented if at least one of the following occurs:
- There are unacceptable risks that justify the application of the control
- There are legal requirements (e.g., laws or contract clauses) to which the organization must to comply with
- There is a Top Management decision to implement the controls, by considering then as good practices.
Considering that, you must implement controls not only to treat unacceptable risks identified in the risk assessment, but also controls that can fulfill requirements of the EU GDPR.
This article will provide you further explanation about controls selection:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding controls selection:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Jun 13, 2018