One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 5001393 |
| Date de publication | 2022-06-06 10:06:44 (vue: 2022-06-05 23:06:23) |
| Titre | The dreaded Statement of Applicability |
| Texte |  Subclause 6.1.3 of ISO/IEC 27001:2013 requires compliant organisations to define and apply an information security risk treatment process to:a) select appropriate information security risk treatment options, taking account of the risk assessment results;The 'risk treatment options' (including the information security controls) must be 'appropriate' and must 'take account of ' (clearly relate to) the 'risk assessment results'. The organisation cannot adopt a generic suite of information security controls simply on the basis that they have been recommended or suggested by someone - not even if they are noted in Annex A.b) determine all controls that are necessary to implement the information security risk treatment option(s) chosen;NOTE Organizations can design controls as required, or identify them from any source.This requirement clearly specifies the need to determine all the controls that the organisation deems necessary to mitigate unacceptable information risks. Note, however, that it doesn't actually demand they are fully implemented: see point d) below.c) compare the controls determined in 6.1.3 b) above with those in Annex A and verify that no necessary controls have been omitted; NOTE 1 Annex A contains a comprehensive list of control objectives and controls. Users of this International Standard are directed to Annex A to ensure that no necessary controls are overlooked. NOTE 2 Control objectives are implicitly included in the controls chosen. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and cont |
| Envoyé | Oui |
| Condensat | note 27001 27001:2013 27003 27005 27005:2018 27007 31000 a;point about above acceptable acceptance account actually added additional additions address adequacy adopt adoption advice affect affecting after again against all allegedly along also alternatively although amendment analysis andf annex anticipate anticipated any apparently applicability applicable apply approach appropriate appropriately approval are areas array assertions assessment associated audit audited auditors audtors aware back basis because been behind being believe below between blog both bother business but can cannot cases casting categories cause certain certification certified certified/certifiable check checklist chosen chosen;note circumstances claim clauses clearly combinations comments committed compare compensating competence competence/diligence competent complete completeness compliance compliant comprehensive concern concerning confirm confirmed consider consistency constitutes contain contained contains continuity contradictory contradictory: control control/s controls convinced correctly corresponding criteria critique currently curt customers cyber decided decides deems deeper define demand demonstrate denying description design detail determine determined determines different digging diligence diligent directed disclose document documented does doesn don doubt draft dreaded driven due each easily edition effect either enough ensure entire entries evaluated even eventuate evidence examining example excluded excludes exclusion exclusions exhaustive expanding expected explanation explicit explicitly explore explored exploring fact fair feel first following forcing form formulate from full fully further general generate generic genuine given guidance guidance:the has have helpful hence here hopefully however ideally identified identify impact implement implementation implemented implemented: implemented” implicitly implies important incident incidents included including inclusion inclusions incorporate indeed independent individually information instead integral intends interested interests internal international invested involved irrelevant isms iso iso/iec iso27k issue it: annex its joiners just justification least leavers level liability likewise lines linkages list listed maintain managed management managers managing marked matter may means meet mention mentions misleading mitigate mitigating moble modification modify modifying moment more movers much must myopically myriad necessary need needed neglected not note noted notes objectives obsessed obtain omitted; note one ones only ooooooooooooooooooo operating option options order organisation organisations organization organizations original other overall overlooked overview owners pages paper part parties patently permutations phone physical piece plan plan; planned plus point possible possibly pragmatic precisely preparation primarily proactively process produce produced producing prove provides published purpose quite quote rather rationale real realize reason reasonably reasoning reassure recognised recommended reference regulators relate relying removes repeats rephrasing replaced required requirement requirements requires residual respect result results results;the reviewers risk risks risks: rtp same sample says scope second section security see select selected selectively sense sentence september should simply slightly soa soa:the some someone somewhat source space specific specification specified specifies standard standards state stated statement statement: status stepping subclause succinct succinctly such sufficient suggested suggesting suitability suite superficially supplementary supplemented support supposed take taking test that theft them themselves then thereby third those through tiger time to:a to:assure to:confirm to:orient totally treat treated treatment treatments truly two unacceptable unclear understand unlisted use used users uses using vague variant variants variation variety various vast verify very want what whether which why will within w |
| Tags | Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.