GlenView Group, Inc.
ISO 27001 does not formally mandate specific information security controls since the controls that are required vary markedly across the wide range of organizations adopting the standard. The information security controls from ISO27002 are summarized in annex A to ISO27001, rather like a menu. Organizations adopting ISO 27001 are free to choose whichever specific information security controls are applicable to their particular information risks, drawing on those listed in the menu and potentially supplementing them with other a la carte options (sometimes known as extended control sets). As with ISO 27002, the key to selecting applicable controls is to undertake a comprehensive assessment of the organization’s information risks, which is one vital part of the ISMS. Furthermore, management may elect to avoid, share or accept information risks rather than mitigate them through controls - a risk treatment decision within the risk management process. Annex A Reference control objectives and controls - little more than a list of titles of the control sections in ISO 27002. The annex is ‘normative’, implying that certified organizations are expected to use it, but the main body says they are free to deviate from or supplement it in order to address their particular information risks. Annex A alone is hard to interpret. Please refer to ISO 27002 for more useful detail on the controls, including implementation guidance. The Information Security Controls under ISO 27001 are grouped as under:
0 Comments
Leave a Reply. |
|