Annex A of ISO 27001 is probably the annex mentioned management standards. Why is there so much talk? Because sometimes it is questionable?
If you read Appendix A, you saw that 133 security checks are performed. If this is the case, which used most of the standard?
Electronic Insect Control
The purpose
Appendix A contains the following clauses (sometimes called domains ISO 27001 Annex A):
A.5 Security policy A.6Organization of information security A.7 Asset management A.8 Human resources security A.9 Physical and environmental security A.10 Communications and operations management A.11 Access Control A.12 Information systems acquisition, development and maintenance A.13 Information Security Incident Management A.14 Business Continuity Management A.15 Compliance
As already mentioned, Appendix A 133 checks that can be seen as Account of the clauses are not only focus on it - it's also about physical security, legal, human resources management, organizational, etc.
unacceptable risks to identify the risks of risk assessment, to help you find the right control of this decrease (s) for which one might consider the form of Annex A as a catalog of security measures used to be an appendix, while the process of treatment once -. And so do not forget all the important> Control.
Appendix A, where ISO 27001 and ISO 27002 Come Together - the controls in ISO 27002 are 27 001 of the same name listed in Annex A of ISO, but the difference is in the details - ISO 27001 is only a brief definition of a control, while ISO 27002 provides detailed guidelines for the implementation of the control.
Disadvantages
Now, if you think that Annex A is a perfect conversion tool for your data securityProject will not be too optimistic - even has some things that make no sense. Then define some controls almost the same problems, sometimes confuses - the reuse), and devices A.10.7.2 (disposal of media) A.9.2.6 (Secure disposal o. On the other hand, some problems, such as relations with third parties, scattered around various clauses in the Annex A - You can put in Section A.6.2 (external), A.8 (Human Security) and see A.10.2 (Third PartyService Delivery Management), A.12.5.5 and control (software development outsourcing). This makes it difficult sometimes use Appendix A as a tool for implementation.
But these are not the only confusion - some of the controls, Appendix A, as defined guidelines and procedures, but does not need to be documented. It may seem strange, but only when the "document" is the word, policy standards / procedures require the writing. If you look at the whole of Annex AHe mentioned the "word" documents in only 6 controls (A.5.1.1, A.7.1.3, A.8.1.1, A.10.1.1, A.11.1.1, A.15.1.1) - the States can implement them without other controls document.
However, you should not abuse this flexibility Appendix A - the largest organization is to produce more documents, which ensures that all should realize (and equivalent) safety procedures. On the other hand, you should be careful not to exaggerate theDocumentation - it is too high, no one to watch.
Links with the main part of ISO 27001
Most of the standard, or better, the mandatory clauses contain from 4 to 8, the part of management standards - which require the PDCA cycle (-Do-Check-Act phases of the Plan), including risk assessment and treatment , control of documentation, records management, provision of resources, internal audit, management review, corrective andprevention measures, etc.
As expected, the risk assessment and treatment process is the main link between the clauses 4 to 8 and the controls in Annex A - that will help you decide if the individual controls in Annex A are reducing the risks or not.
Means clauses 4 to 8 and Annex A can not exist without the other - the risk assessment is not useful when there are no controls to reduce the risks and the only way to determineApplicability of the controls is through risk assessment.
In my opinion, focus on risk and the flexibility to apply these security controls, what you consider, as appropriate, 27 001 are the best things in the ISO - you have to make sure that they are fully exploited.
ISO 27001 Annex A ControlsCheap Telescope for Camera GPS Portable Dashboard Lenspen Sensor