I have some confusion about control selection and implementation.
Scenario:
At the end of the risk assessment phase, I have selected controls to mitigate these risks, which are not more than 30 and specific to the risk above the acceptance threshold. During control selection, I came across some controls like controls in sections 5,6,7,8 of Annex A (ISO 27001):
6.1.2: Information security coordination
6.1.3: Allocation of information security responsibilities
6.1.4: Authorization process for information processing facilities
7.1.2: Ownership of assets
7.1.3: Acceptable use of assets
etc.
Which are not selected as controls to reduce the risks in risk treatment plan. But, these seem to me the baseline control for effective operation of ISMS. So, I have just selected them as baseline controls in baseline approach.
Now the real part of the problem is that:
1) There are some controls which are identified in both risk treatment plan and baseline approach. Whether, I put these controls in baseline, risk treatment plan or both for their implementation?
2) For the controls selected in the risk treatment, I am developing an Action plan/Risk treatment plan. But, I am confused how to proceed with controls identified in baseline approach. Should I develop an action plan for it too (for every single baseline control) or there is any other way.
3) What will be the order of the implementation of controls? Should baseline controls or the controls identified in risk treatment plan given high priority?
Moreover, It seems to me that most of the controls from Security Policy, Organization of Information Security (Internal organization), Asset Management and Human Resource Security are compulsory for Effective ISMS irrespective of the case whether they are identified in risk assessment phase or not. Is that true? If yes, what will be the procedure to handle them if they are not identified in risk assessment phase?
I have some confusion about control selection and implementation.
Scenario:
At the end of the risk assessment phase, I have selected controls to mitigate these risks, which are not more than 30 and specific to the risk above the acceptance threshold. During control selection, I came across some controls like controls in sections 5,6,7,8 of Annex A (ISO 27001):
6.1.2: Information security coordination
6.1.3: Allocation of information security responsibilities
6.1.4: Authorization process for information processing facilities
7.1.2: Ownership of assets
7.1.3: Acceptable use of assets
etc.
Which are not selected as controls to reduce the risks in risk treatment plan. But, these seem to me the baseline control for effective operation of ISMS. So, I have just selected them as baseline controls in baseline approach.
Now the real part of the problem is that:
1) There are some controls which are identified in both risk treatment plan and baseline approach. Whether, I put these controls in baseline, risk treatment plan or both for their implementation?
2) For the controls selected in the risk treatment, I am developing an Action plan/Risk treatment plan. But, I am confused how to proceed with controls identified in baseline approach. Should I develop an action plan for it too (for every single baseline control) or there is any other way.
3) What will be the order of the implementation of controls? Should baseline controls or the controls identified in risk treatment plan given high priority?
Moreover, It seems to me that most of the controls from Security Policy, Organization of Information Security (Internal organization), Asset Management and Human Resource Security are compulsory for Effective ISMS irrespective of the case whether they are identified in risk assessment phase or not. Is that true? If yes, what will be the procedure to handle them if they are not identified in risk assessment phase?
Thanks and Regards,
Shahzad
[ reply ]