Expert Advice Community

Guest

Templates content

  Quote
Guest
Guest user Created:   Mar 21, 2019 Last commented:   Mar 21, 2019

Templates content

1. Regarding the Statement of Applicability: I've did some research and what I've seen is that I don't have to write policies / procedures for each risk. What I could also do is accept risks, avoid risks or share the risks with third parties (in this case insurers or suppliers). In that case I assume I'd have to say that it isn't applicable in the Statement of Applicability, but what do I write at the selection for non-justification tab?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 21, 2019

Answer: First it is important to note that SoA is about applicability of controls. Policies and procedures are examples of methods to be used to implement controls, considered applicable because of unacceptable risks, legal requirements or top management decisions. It is also true that you can simply use one phrase on SoA to explain how a control will be implemented, and not develop a more complex document.

Considering that, if a control is considered not applicable, an example of good justification is "there are no unacceptable risks or legal requirements which require the implementation of this cont rol".

This article will provide you further information:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

2. Measurement Report: evaluation frequency (which evaluation frequency is recommended?)
Answer: There is no "standard" evaluation frequency that can be defined, because there are many many variables to be considered: level of risk involved, measurement complexity, time to process data, etc. This definition should be made on a case by case basis.

This article will provide you further information:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/

3. A.11.2.5: Do employees really need written permission?
Answer: The proper term here would be "recorded" permission, which could be either written or included on a computerized information system. The point here is that you must preserve evidences that an authorization was given, so it can be traceable for operational or audit purposes in case of need.

See this article for further information:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

4. A.14: Does a webhosting company (which isn't developing software) have to comply with any of the controls in this chapter at all? I'm really stuck here.

Answer: If an organization does not have a software development process, the only other reason to consider some of controls from section A.14 is when performing system acquisition (e.g. buying a third-party CRM), mainly those related tor definition of security requirements and system acceptance.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 21, 2019

Mar 21, 2019

Suggested Topics

Guest user Created:   Nov 13, 2019 ISO 27001 & 22301
Replies: 1
0 0

Templates content

Guest user Created:   Oct 14, 2019 ISO 27001 & 22301
Replies: 1
0 0

Templates content