Is this compliant with ISO/IEC 27001?

An organization documented each security control that it Implemented by describing their functions in detail.

Is this compliant with ISO/IEC 27001?
A . No, the standard requires to document only the operation of processes and controls, so no description of each security control is needed
B . No, because the documented information should have a strict format, including the date, version number and author identification
C . Yes, but documenting each security control and not the process in general will make it difficult to review the documented information

Answer: C

Explanation:

According to ISO/IEC 27001:2022, clause 7.5, an organization is required to maintain documented information to support the operation of its processes and to have confidence that the processes are being carried out as planned. This includes documenting the information security policy, the scope of the ISMS, the risk assessment and treatment methodology, the statement of applicability, the risk treatment plan, the information security objectives, and the results of monitoring, measurement, analysis, evaluation, internal audit, and management review. However, the standard does not specify the level of detail or the format of the documented information, as long as it is suitable for the organization’s needs and context. Therefore, documenting each security control that is implemented by describing their functions in detail is not a violation of the standard, but it may not be the most efficient or effective way to document the ISMS. Documenting each security control separately may make it harder to review, update, and communicate the documented information, and may also create unnecessary duplication or inconsistency. A better approach would be to document the processes and activities that involve the use of security controls, and to reference the relevant controls from Annex A or other sources. This way, the documented information would be more aligned with the process approach and the Plan-Do-Check-Act cycle that the standard promotes.

Reference: ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection ― Information security management systems ― Requirements, clauses 4.3, 5.2, 6.1, 6.2, 7.5, 8.2, 8.3, 9.1, 9.2, 9.3, and Annex A

ISO/IEC 27001:2022 Lead Implementer objectives and content, 4 and 5

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments