The application of the controls present in Annex A of ISO 27001 and the integration into management procedures and safety procedures. Draw up the complete list of security checks, system registrations and their application
If you proceed to create an ordered list of all the controls that are present in Annex A of the ISO 27001: 2017 standard, you will easily be able to plan the implementation of the security controls necessary to protect the information and fulfill the requirements set out in point 6 of the Standard and that is the Planning.
To give objective evidence of compliance with regulatory requirements, in correspondence with each check required by Annex A, we suggest you indicate exactly:
- The number N to apply to the control (a simple natural number 1,2,3, etc.)
- An indication that specifies whether the control has been included IN or NO in the management system
- How the control was applied
- The documentary reference (registration) which gives objective evidence of the application of the control
- The person responsible for the effectiveness of the control against information risks
PInformation security plan
The safety procedures
For convenience, we report an example that arranges in a tabular way the correspondence between the controls of Annex A and their application in an information security management system.
The document that describes in detail the application of the controls of Annex A of ISO 27001: 2017 constitutes the Information Security Plan.
The ISO 27001: 2017 standard requires a real “Declaration of applicability ” relating to these controls that the company must implement for the purposes of compliance and the consequent certification of the information security management system. The information security plan also formally fulfills this requirement.
Information security goals
Following the drafting of the Information Security Plan, in the development of an information security management system, the company must determine its objectives. The ISO 27001: 2017 standard, in fact, at point 6.2 provides that the system must express its effectiveness by reaching, in fact, acceptable levels of information security.
Pay close attention to your goals!
They must be related to the ultimate purpose of all work which is always (and always remains) to protect information from risks of loss of confidentiality, integrity and availability.
The suggestion for an effective system is to establish:
- Safety indicators for the security assets identified in the asset inventory
- A goal (measurable level of security desired) for each indicator
- How the “performance” will be measured, that is the result actually achieved in terms of information security, with respect to the determined objective
The work could be inspired by the following example in which we have determined an objective for information security with reference to human resources. The goal is documented through the forms.
FPay close attention to details.
The goal is absolutely related to information security. If you want the system to be effective, do not underestimate the use of the S.M.A.R.T. used to determine the goal
Smart is an acronym that translated into Italian suggests determining the goal by ensuring that it is:
S Specific
A Based on action-Achievable
R Realistic (compatible with available resources)
T Based on Time and Cost – Time-Related
