Guest user Created: Jan 05, 2018 Last commented: Jan 05, 2018

Who verifies the implementation of controls?

I have your documentation toolkit - in the document called “Checklist of Mandatory Documentation” the “Mobile device policy” is in the list of “Commonly used non-mandatory documents”. As for A.6.2.1 A policy and supporting security measures shall be adopted…. I understand that we don’t need to write such a policy as the control does not say “shall be documented” but it just feels strange to not have a policy in written form… Is it a part of the Audit (internal and external) to verify that everyone knows how to handle mobile devices?

0 0

Assign topic to the user

Select user

Expert

Dejan Kosutic Jan 05, 2018

Answer: It is primarily part of the management of the company to make sure that everyone knows how to handle mobile devices, and of course it is the internal and external auditor job to check if this is really true.

Regarding the word "policy" - besides a written document, it can also be in a verbal form, or a policy can be a part of an IT policy embedded in some software. Therefore you are right, only when the standards says "shall be documented" then the document needs to be written. See also: Explanat ion of the basic terminology in ISO standards https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 05, 2018

Expert Advice Community