Toolkit content
Assign topic to the user
Answer:
ISO 27001 does not require each control to be implemented, nor it requires each implemented control to be documented. Therefore, you have the following options:
a) Exclude a control in the Statement of Applicability if there are no risks or requirements for this particular control
b) Implement a control and write a separate policy or procedure for it
c) Implement a control and document it though a policy or a procedure which covers also other controls
d) Implement a control without documenting it - in this case you only describe briefly how you implemented it in the SoA
These articles will provide you further explanation about selecting controls and SoA:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
2 - For my own reference: I assumed that the ISO standard and controls (Annex A or SOA) are copyright protected ? But I saw you used the numbering and especially “titles” from the ISO standard, is this allowed ? I’m just wondering if I can use my own excel “including the official control description” as well and store it in Conformio or on our file server.
Answer: Using numbering and titles as reference to the standard is allowed because in many requires (like the one which defines the SoA content) you have to make reference to the standard to be compliant. What is not allowed is copy of sections content, as well as copies from description of controls, but you can write them in other words to use in your excel file with no problem
Comment as guest or Sign in
Dec 04, 2018