One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 2148827 |
| Date de publication | 2020-09-24 11:12:00 (vue: 2021-01-06 20:37:56) |
| Titre | NBlog Sept 24 - status of ISO27001 Annex A |
| Texte |  One of the recurrent (zombie) threads on the ISO27k Forum concerns the status of ISO/IEC 27001:2013 Annex A. Typically the zombie is prodded from its slumber by a relatively inexperienced member naively suggesting that certain security controls from Annex A are essential, implying that they are mandatory for certification.In the course of debating and attempting to bury the zombie, some members trot out their own curious interpretations of the standard, pointing out actual and apparent discrepancies in the wording which, to them, indicate that Annex A is at least partly mandatory. I'm too polite to say they are wrong, but I believe they are misguided or mistaken - partly, it must be admitted, because the standard is ambiguously worded in some areas, hence it has to be interpreted carefully in practice. To be clear, based on my three decades' professional experience and membership of ISO/IEC JTC 1/SC 27, my position is that none of the controls outlined in Annex A are mandatory. None at all. Zero.This is a fundamental but complex issue to explain, so please forgive this lengthy post. In hope of decapitating the zombie, once and for all, I feel the urge to explain in detail. To kick off, I'll emphasise the critical distinction between two key terms: Mandatory |
| Envoyé | Oui |
| Condensat | all anyway clause however i in it on personally that the this “shall” 1/sc 27001 27001:2013 about absolutely account actual adamant admitted again all along also ambiguous ambiguously amongst analysis annex anomalies another any apparent applicable apply are area areas arguing around aspect aspects associated attempting auditors awkward based because been believe best between blend body both brave bugger bury but camel carefully caused certain certification certified change changing choose chooses classic clause clear comes committee comparable complex compliant comply compromise conceptually concerns confuse confusion considered contentious controls convince could course created creative critical curious custom deadline debating decades decapitating define defined demand denotes depends described describes designed detail determine determines determining diligently directive discrepancies discretionary distinct distinction does dotted double drafting drafts each electing emphasise end ended ensure essential etc evaluates evaluation evaluation” even example example: exclude experience explain explicit extreme fact feel find fine follow followed forgive formally forum from fulfil fundamental good had hand happened has hence here hope hopefully horse how implementing implications implying includingannex indicate indicates inexperienced information information: innovation instead intended interpretations interpreted isa isms ismss iso iso/iec iso27001 iso27k issue items its itself jtc key kick land late latitude least lengthy little long looming made main management mandatory many matters may measurement member members membership merely methods metrics misguided mistake mistaken monitoring more most much must naively nblog necessary need none normally normative not note notice off once one options order organisation organisations organization other ought out outlined outlines: own part partly parts passionately perhaps persistent placated please point pointing points polite position post practically practice practices precisely probably process processes process” prodded produce professional protect provided publication published purposes quite racing recall recommendations recurrent reissued relatively remains reproducible required requirement requirements requiring reserved resilient resolved results results; revised revolves risk risks satisfied say scratch security seldom selected selecting sept shall should similar slumber smithed some source specific specified standard standard; standards status strangely succinctly such suggesting suggestions suit summarised system systems taking term terms: that none of them things think thinking those threads three through throughout titling too touch treatment treatments trot tuned turn two typically unfortunately universally upon upshot urge use used valid validity variants various vary version whammy when which whichever who will word worded wording words wrong zero zombie “monitoring “shall “shall” “should” “the ” so |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.