Which controls to apply?
Assign topic to the user
ISO 27001 RISK ASSESSMENT AND TREATMENT REPORT
Document the results of the risk management process.
Get it now 
ISO 27001 RISK ASSESSMENT AND TREATMENT REPORT
Document the results of the risk management process.
Get it now
ISO 27001 RISK ASSESSMENT AND TREATMENT REPORT
Document the results of the risk management process.
Get it now
Answer: None of the controls from Annex A are mandatory - any control can be excluded if there are no risks or other legal or regulatory requirements; however, it is extremely rare to see a company that has excluded control A.11.3.1.
The control 11.3.1 suggests that I have a system that chaise passwords. Once I apply the control, I have to use all suggestions, or can I do it my way, for example I generate passwords instead of a system?
Answer: There is no such requirement in ISO 27001:2005 A.11.3.1 - perhaps you are reading ISO 27002? In any case, any requirement that doesn't exist in ISO 27001 is not mandatory. This means you can apply your rules as long as they are not conflicting with ISO 27001 and that they reflect your risk assessment.
When I apply a control that refers to another, should I use this one too?
Answer: I'm not sure if I understood your question well, but you have to apply all the controls where there are risks or legal or regulatory requirements. Of course, you can implement couple of controls together.
Comment as guest or Sign in
Jan 12, 2016