Assign topic to the user
Just taking as example the HR security, the division which is to implement ISO 27001 is using Company's HR procedures. Does the division need to describe exactly in SoA what processes are shared, or is it enough to write in SoA that HR Security controls are Shared with the Company?
Answer: By "processes" I'm assuming you are referring to security processes performed in a shared way by the Division and the Company's HR.
Considering that, first of all, for shared controls you have to state clearly in the SoA which part of each control is implemented by whom. Regarding the level of detail about how a control is implemented, if you have documents related to HR security available (e.g., policies or procedures) you can write a small text to provide an general overview and include references to these documents, or to the location where they can be found. If you do not have these documents available then you have to describe in SoA the whole HR security process.
Comment as guest or Sign in
Nov 22, 2017