You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

Control sets

You will need to make a decision on what set of controls is most appropriate to use within your organisation. From this set of controls, you will select those controls necessary to control risks, and meet internal and external requirements. Sets of controls include:

  • ISO/IEC 27001:2013 Annex A
  • CIS Critical Security Controls

Some countries may have their own control sets, for example the UK specifies five controls for basic cyber hygine in the Cyber Essentials standard.

Particular domains for example, scientific collaboration environments, may also have their own control sets, for example in https://www.eugridpma.org/sci/

ISO/IEC 27001:2013 allows you to select controls from any source, but you must justify the exclusion of any controls from Annex A which you have chosen not to implement, to ensure that no necessary controls are overlooked.

Most organisations will chose Annex A as their normal set of controls, with additional controls chosen for particular business requirements.

Effectiveness

Your selection of controls must be practical for your organisation and staff to implement and understand, otherwise they will not be effective.

Selection

All controls must be selected for a reason. The core reason in ISO 27001 is to address a specific risk. The control must do something to reduce this risk.

Controls may also be selected because a customer has asked you to implement it, or because a law or regulation requires it. You should try to understand these external factors in Section 4 of the standard.


This section should have a reference to ISO 27001 chapter 6: planning.

There is a strong relation with the ISO 27001 Statement of Applicability, and the risk based selection of controls. You can use ISO 27002 and its chapters for grouping controls or you can use other groupings that are better suited to your business processes.

  • No labels