Annex A of ISO 27001 is likely the most popular extension of all the ISO principles – this is on the grounds that it gives a fundamental instrument to overseeing Information security chances: a list of safety controls that are to be utilized to work on the security of Information resources.
This article will give you a comprehension of how Annex A is organized, as well as its relationship with the fundamental piece of ISO 27001, and with ISO 27002.
The most effective way to comprehend Annex A is to consider it an inventory of Information security controls you can choose from – out of the 114 controls that are recorded in Annex A, you can pick the ones that are relevant to your organization’s extension. Another methodology is to utilize Annex A as an ISO 27001 controls agenda, for an underlying assessment of your association’s preparation for an Information security management system.
Also, Check –>> What is ISO 27001 Certification
Relationship with ISO 27001 with the main clause
Not these ISO 27001:2013 controls are required – organizations can decide for themselves which controls they see as relevant, and afterward, they should carry out them (as a rule, something like 90% of the controls is material); the rest are pronounced to be non-pertinent. For instance, control A.14.2.7 Outsourced development can be set apart as non-material if an organization doesn’t rethink the improvement of programming. The fundamental rule for choosing the controls is through risk management, which is characterized in clauses 6 and 8 of the main part of the ISO 27001 Standard.
Further, clause 5 of the main part of ISO/IEC 27001 Certification standard expects you to characterize responsibilities regarding dealing with those controls, and clause 9 expects you to measure assuming that the controls have satisfied their motivation. At last, clause 10 expects you to fix whatever is the matter with those controls and to ensure that you accomplish Information security management system goals with those controls.
What is the distinction between ISO 27001 standard and ISO 27002 standard?
Annex A of ISO 27001 doesn’t give a lot of insight regarding each control. There is normally one sentence for each control, which provides you with a thought of what you want to accomplish, but not how to get it done.
For this reason, ISO 27002 was distributed – it has the very same design as ISO 27001 Annex A: each control from Annex An exists in ISO 27002, however it has a substantially more detailed clarification on the most proficient method to carry out it. In any case, don’t fall into the trap of utilizing just ISO 27002 for dealing with your Information security chances – it doesn’t give you any signs concerning how to choose which controls to carry out, how to quantify them, how to dole out liabilities, and so forth.
Also, Check –>> ISO 27001 Certification steps
Use of Annex A
There are two or three things I like about Annex A of ISO 27001 Certification standard- it provides you with an ideal outline of which controls you can apply so you remember some that would be significant, and it gives you the adaptability to pick just the ones you view as material to your business so you don’t need to squander assets on the ones that do not apply to you as per our business requirement. The facts confirm that Annex A doesn’t give you much detail on execution, yet this is where ISO 27002 comes in; it is additionally a fact that a few organizations could mishandle the adaptability of ISO-27001 and point just for the base controls to pass the certification, yet this is a topic for a different blog entry.