Security Policy: Difference between revisions

Line 120:

:2. Determine all controls that are necessary to implement the information security risk treatment option(s) chosen;

<small>NOTE Organizations can design controls as required, or identify them from any source. </small>

:3. Compare the controls determined in [[Security_Policy#Information_security_risk_treatment|3.1.3]].2 above with those in Annex A of [https://drive.google.com/file/d/0B98VxoZqj8C6R0Jva0pSWTFyQzA/view ISO/IEC 27001:2013] and verify that no necessary controls have been omitted;

:3. Compare the controls determined in [[Security_Policy#Information_security_risk_treatment|3.1.3.]]2 above with those in Annex A of [https://drive.google.com/file/d/0B98VxoZqj8C6R0Jva0pSWTFyQzA/view ISO/IEC 27001:2013] and verify that no necessary controls have been omitted;

<small>NOTE 1 Annex A contains a comprehensive list of control objectives and controls. Users of this International Standard are directed to Annex A to ensure that no necessary controls are overlooked.

Line 126:

NOTE 2 Control objectives are implicitly included in the controls chosen. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed.</small>

:5. Produce a Statement of Applicability that contains the necessary controls ~~above~~ and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A;

:5. Produce a Statement of Applicability that contains the necessary controls (see [[Security_Policy#Information_security_risk_treatment|3.1.3.]] 2 and 3 and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A;

:6. Formulate an information security risk treatment plan; and

:7. Obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks.

@@ Line 120: / Line 120: @@
 :2. Determine all controls that are necessary to implement the information security risk treatment option(s) chosen;
      <small>NOTE Organizations can design controls as required, or identify them from any source. </small>
-:3. Compare the controls determined in [[Security_Policy#Information_security_risk_treatment|3.1.3]].2 above with those in Annex A of [https://drive.google.com/file/d/0B98VxoZqj8C6R0Jva0pSWTFyQzA/view ISO/IEC 27001:2013] and verify that no necessary controls have been omitted;
+:3. Compare the controls determined in [[Security_Policy#Information_security_risk_treatment|3.1.3.]]2 above with those in Annex A of [https://drive.google.com/file/d/0B98VxoZqj8C6R0Jva0pSWTFyQzA/view ISO/IEC 27001:2013] and verify that no necessary controls have been omitted;
     <small>NOTE 1 Annex A contains a comprehensive list of control objectives and controls. Users of this International Standard are directed to Annex A to ensure that no necessary controls are overlooked.
@@ Line 126: / Line 126: @@
     NOTE 2 Control objectives are implicitly included in the controls chosen. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed.</small>
-:5. Produce a Statement of Applicability that contains the necessary controls above and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A;
+:5. Produce a Statement of Applicability that contains the necessary controls (see [[Security_Policy#Information_security_risk_treatment|3.1.3.]] 2 and 3 and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A;
 :6. Formulate an information security risk treatment plan; and
 :7. Obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks.

Security Policy: Difference between revisions

Navigation menu

Search